Introduction

About the REST API Reference Manual

This is the Splunk Enterprise REST API Reference Manual, which gives summary and detailed endpoint descriptions for accessing REST resources. Read the REST API User Manual for basic concepts you need to know before using the API.

This introduction describes how to use the reference documentation.

Resource groups

The documentation groups resources into the following categories.

Category Description
Access control Authorize and authenticate users.
Applications Install applications and application templates.
Clusters Configure and manage cluster master and peer nodes.
Configuration Manage configuration files and settings.
Deployment Manage deployment servers and clients.
Inputs Manage data input.
Introspection Access system properties.
Knowledge Define indexed and searched data configurations.
KV store Manage app key-value store.
Licensing Manage licensing configurations.
Outputs Manage forwarder data configuration.
Search Manage searches and search-generated alerts and view objects.
System Manage server configuration.

Conforming applications

Iterating over the REST endpoints shows more endpoints and methods than are described in this reference. These might be used internally by Splunk for testing, debugging, and monitoring. Conforming applications and usage shall use only the endpoints and methods as described in this reference.

References

Splunk Enterprise REST API documentation

Tools

Entry format

The API documentation uses the following formatting conventions to describe the resource interface.

Name

Endpoint descriptions use the URI as the endpoint name, beginning with the resource name. For example,

apps/appinstall

is the name of the

/services/apps/appinstall

or

/servicesNS/<user>/<app>/apps/appinstall

endpoint.

Deprecated methods have the "[DEPRECATED]" string after the name.

Synopsis

The Synopsis section shows the generic URL and parameter syntax for referencing the resource. It shows the GET method syntax unless the endpoint supports only the POST method.

Description

The Description section gives a short description of the endpoint function. See the method Application usage section for application considerations about how to use the interface.

See also

The See also section includes links to reference documentation and related API descriptions that might provide more context for the endpoint.

Method summary

A table listing the methods supported by the API, for this endpoint. Entries include the method name (operation) with a link to the method, a short description of the method function, and the supported data formats.

Method detail with examples

For each method listed in the method summary, DELETE, GET, and POST methods provide more detailed information about the method.

Click the Example link to view example API request and response calls.

Simple examples of how to make a request on the endpoint and what the response data looks like.

Your system must be configured appropriately to get the response shown in the examples. For example, a dynamic job ID parameter can be expected to be different for your setup. If needed, you can modify the examples to match your system configuration and state, including changing the hostname and port number.

Example request format

The examples show typical endpoint request syntax using the cURL command-line utility, unless another mechanism is more appropriate for the endpoint.

cURL is available with your *NIX distribution or from the following resources:

See the cURL manpage for command-line options.

An example of the default XML response for a minimally configured system follows the request.

You can also access endpoints by using the httplib2 Python library distributed with Splunk Enterprise. For example:


import httplib2

hostName = "localhost"
managementPort = "8089"
userName ="admin"
userPassword = "changeme"
testUri = "/services/apps/local"

h = httplib2.Http(".cache", disable_ssl_certificate_validation=True)
h.add_credentials(userName, userPassword)

base_url = "https://" + hostName + ":" + managementPort

try:
    response, content = h.request(base_url + testUri, "GET")
    if (response['status'] >= '200' and response['status'] <= '204'):
        print content
    else:
        print response['status']
except Exception, e:
    print "Exception: '%s'" % e

REST client browser plugins are a convenient way to exercise the REST API, and are available for all popular browsers. See #References.

Powershell users can use Invoke-RestMethod.

Example response format

To improve readability, the following response elements are elided using the ... elided ... notation.

Most responses include <opensearch> elements for paging. The opensearch elements are elided to improve readability.
All responses include an Access Control List (ACL) element that defines permissions for accessing the endpoint. The <eia:acl> element is elided to improve readability.
Some GET responses include an EIA attribute element that defines required, optional, and wildcard endpoint elements. The <eai:attributes> element is elided to improve readability.
Multiple data content entries might be elided to improve readability.

Request parameters

A list of support request parameters are described in terms of parameter name, datatype, default value, and a short description.

Required parameters are indicated by the required string with the parameter name.

Pagination and filtering parameters

The following request parameters are valid for some GET methods, as the endpoint documentation indicates.

Conforming endpoints might not support all of these parameters.

Name Datatype Default Description
count Number 30 Maximum number of entries to return. Set value to zero to get all available entries.
offset Number 0 Index of first item to return.
search String Response filter, where the response field values are matched against this search expression.

Example:

search=foo matches on any field with the string foo in the name.
search=field_name%3Dfield_value restricts the match to a single field. (Requires URI-encoding.)

sort_dir Enum asc Response sort order:

asc = ascending
desc = descending

sort_key String name Field name to use for sorting.
sort_mode Enum auto Collated ordering:

auto = If all field values are numeric, collate numerically. Otherwise, collate alphabetically.
alpha = Collate alphabetically, not case-sensitive.
alpha_case = Collate alphabetically, case-sensitive.
num = Collate numerically.

summarize Bool false Response type:

true = Summarized response, omitting some index details, providing a faster response.
false = full response.

Response data keys

Response content data are key-value pairs. All valid parameters are listed with their name and description.

HTTP status codes

Responses can include one of the following HTTP status codes, in addition to content data. Status codes are not listed because the API generally follows the HTTP standard for reporting status. But, the documentation does note status codes with special significance or where the cause differs from the standard.

Error messages

In addition to the HTTP status code, many request error conditions also return an error message. For example:


<response>
  <messages>
    <msg type="ERROR">
      In handler 'datamodelgenerate': The following required arguments are missing: sid.
    </msg>
  </messages>
</response>
EAI response data

EAI response data, the <eia:acl> and <eai:attributes> elements, typically apply to all endpoints and are configuration-dependent, so redundant explanation is omitted. These elements are also elided from the response examples to make the documentation easier to read.

The REST implementation enforces ownership and permissions for a resource based on application context namespace. The ACL includes the following parameters.
Parameter Description
app The app context for the resource. Allowed values are:
  • The name of an app
  • system
can_list For internal use only for the Splunk Web manager UI.
can_share_* Indicates whether or not the current user can change the sharing state. The sharing state can be one of:
  • can_share_app = App-level sharing
  • can_share_global = Global sharing
  • can_share_user = User-level sharing
can_write Indicates whether or not the current user can edit this item.
owner The user that owns the resource.

A value of nobody indicates that all users have access to the resource, but that write access to the resource might be restricted.

modifiable Indicates whether or not you can change the Access Control List (ACL).

Set to false for items not controlled by ACLs, such as items under /server/logger.

perms.read Properties that indicate read permissions of the resource.
perms.write Properties that indicate write permissions of the resource.
removable Indicates if an admin or user with sufficient permissions can remove the entity.
sharing Indicates how the resource is shared. Allowed values are:
  • app = Shared through an app.
  • global = Shared to all apps.
  • user = Private to a user.
The eai:attributes element shows the mandatory and optional fields.
Attribute Description
optionalFields Field is optional.
requiredFields Field is required.
wildcardFields Field can use wildcard.

Application usage

The Application usage section gives detailed information on the intended use of the method for the endpoint.

See also

If applicable, the See also section has links to related endpoints and documentation.

URI quick reference

Jump to: A - C - D - I - L - M - P - R - S

alerts/ URI
Summary GET PUT POST DEL AUTH
alerts/fired_alerts Search
Access all fired alerts

No

alerts/fired_alerts/{name} Search
Access specific fired alert

No

apps/ URI Summary GET PUT POST DEL AUTH
apps/appinstall Applications
Install app from URL or local file

No

apps/apptemplates Applications
Access app templates for creating new apps

No

apps/apptemplates/{name} Applications
Access particular app template

No

apps/local Applications
Manage local apps

No

apps/local/{name} Applications
Manage specific local app

No

apps/local/{name}/package Applications
Archive an app

No

apps/local/{name}/setup Applications
Access setup information for an app

No

apps/local/{name}/update Applications
Access update information for an app

No

authentication/ URI Summary GET PUT POST DEL AUTH
auth/login Access control
Provide user authentication

No

authentication/current-context Access control
Access current user contexts

No

authentication/current-context/{name} Access control
Access specific user context

No

authentication/httpauth-tokens Access control
Manage session tokens

No

authentication/httpauth-tokens/{name} Access control
Manage specific session token

No

authentication/users Access control
Manage user accounts

No

authentication/users/{name} Access control
Manage specific user account

No

authorization/ URI Summary GET PUT POST DEL AUTH
authorization/capabilities Access control
Access capability authorization

No

authorization/roles Access control
Access user roles

No

authorization/roles/{name} Access control
Access specific user role

No

cluster/ URI
Summary GET PUT POST DEL AUTH
cluster/config Clusters
Manage cluster configuration

No

cluster/config/{name} Clusters
Manage specific cluster configuration

No

cluster/master/buckets Clusters
Access master node bucket configurations

No

cluster/master/buckets/{name} Clusters
Access specific bucket configuration, master node

No

cluster/master/control/control/rebalance_primaries Clusters
Access master controls to rebalance primary buckets across peers

No

cluster/master/control/control/remove_peers Clusters
Remove disabled peer nodes.

No

cluster/master/generation Clusters
Access current generations information, master node

No

cluster/master/generation/{name} Clusters
Access specific generation information, cluster master

No

cluster/master/indexes Clusters
Access cluster index information

No

cluster/master/indexes/{name} Clusters
Access specific cluster index information

No

cluster/master/info Clusters
Access cluster master node information

No

cluster/master/peers Clusters
Access peer information, master node

No

cluster/master/peers/{name} Clusters
Access specific master node peer information

No

cluster/master/sites Clusters
Access cluster site information

No

cluster/master/sites/{name} Clusters
Access specific cluster site information

No

cluster/searchhead/generation Clusters
Access searchhead peer information

No

cluster/searchhead/generation/{name} Clusters
Access specific searchhead peer information

No

cluster/searchhead/searchheadconfig Clusters
Access cluster configuration for searchhead

No

cluster/searchhead/searchheadconfig/{name} Clusters
Access specific cluster node

No

cluster/slave/buckets Clusters
Access peer bucket configuration information

No

cluster/slave/buckets/{name} Clusters
Access specific peer bucket configuration information

No

cluster/slave/info Clusters
Access peer node information

No

cluster/slave/info/{name} Clusters
Access information about specific peer

No

configs/ URI Summary GET PUT POST DEL AUTH
configs/conf-{file} Configuration
Raw access to .conf files

No

configs/conf-{file}/{name} Configuration
Raw access to specific .conf file

No

data/ URI
Summary GET PUT POST DEL AUTH
data/commands Search
Access search commands

No

data/commands/{name} Search
Access specific search command

No

data/index-volumes Introspection
Access logical drive information

No

data/index-volumes/{name} Introspection
Access information for a logical drive

No

data/indexes Introspection
Manage data indexes

No

data/indexes/{name} Introspection
Manage specific data index

No

data/indexes-extended Introspection
Access index bucket level information

No

data/indexes-extended/{name} Introspection
Access specific index bucket level information

No

data/inputs/ad Inputs
Access Active Directory monitoring input

No

data/inputs/ad/{name} Inputs
Access Active Directory monitoring stanza

No

data/inputs/all Inputs
Access all inputs, including Modular Inputs

No

data/inputs/all/{name} Inputs
Access specific input

No

data/inputs/monitor Inputs
Access monitor inputs

No

data/inputs/monitor/{name} Inputs
Manage specific monitor input

No

data/inputs/monitor/{name}/members Inputs
Access files for the specific monitor input

No

data/inputs/oneshot Inputs
Access one-shot inputs

No

data/inputs/oneshot/{name} Inputs
Access specific one-shot input information

No

data/inputs/registry Inputs
Access Windows registry monitor input

No

data/inputs/registry/{name} Inputs
Manage Windows registry monitor stanza

No

data/inputs/script Inputs
Manage scripted inputs settings

No

data/inputs/script/restart Inputs
Restart scripted input

No

data/inputs/script/{name} Inputs
Manage specific scripted input

No

data/inputs/tcp/cooked Inputs
Access forwarder TCP inputs

No

data/inputs/tcp/cooked/{name} Inputs
Manage TCP inputs for specific host:port

No

data/inputs/tcp/cooked/{name}/connections Inputs
Access connections for specific port

No

data/inputs/tcp/raw Inputs
Manage raw forwarder TCP inputs

No

data/inputs/tcp/raw/{name} Inputs
Access raw TCP input information

No

data/inputs/tcp/raw/{name}/connections Inputs
Manage raw TCP input information for specific host:port

No

data/inputs/tcp/ssl Inputs
Access SSL configuration information

No

data/inputs/tcp/ssl/{name} Inputs
Access SSL configuration for specific host

No

data/inputs/udp Inputs
Access UDP inputs

No

data/inputs/udp/{name} Inputs
Manage specific UDP input

No

data/inputs/udp/{name}/connections Inputs
Manage specific UDP input connection

No

data/inputs/win-event-log-collections Inputs
Access all configured event log collections

No

data/inputs/win-event-log-collections/{name} Inputs
Manage specific event log

No

data/inputs/win-perfmon Inputs
Access Windows performance monitor information

No

data/inputs/win-perfmon/{name} Inputs
Manage specific performance monitor configuration stanza

No

data/inputs/win-wmi-collections Inputs
Access configured WMI collections

No

data/inputs/win-wmi-collections/{name} Inputs
Manage specific WMI collection

No

data/lookup-table-files Knowledge
Access lookup table files

No

data/lookup-table-files/{name} Knowledge
Manage specific lookup table file

No

data/modular-inputs Inputs
Access defined modular inputs

No

data/modular-inputs/{name} Inputs
Manage specific modular input

No

data/outputs/tcp/default Outputs
Access global TCP output properties

No

data/outputs/tcp/default/{name} Outputs
Manage specific TCP output property setting

No

data/outputs/tcp/group Outputs
Access data forwarding group configurations

No

data/outputs/tcp/group/{name} Outputs
Manage specific data forwarding group

No

data/outputs/tcp/server Outputs
Access data forwarding configurations

No

data/outputs/tcp/server/{name} Outputs
Manage specific forwarder configuration

No

data/outputs/tcp/server/{name}/allconnections Outputs
Access current connections for specific forwarder

No

data/outputs/tcp/syslog Outputs
Access forwarded server configured to provide data in standard syslog format

No

data/outputs/tcp/syslog/{name} Outputs
Manage specific forwarder, which sends data in syslog format

No

data/props/calcfields Knowledge
Access props.conf file calculated fields

No

data/props/calcfields/{name} Knowledge
Manage specific props.conf file calculated field

No

data/props/extractions Knowledge
Access props.conf file search-time field extractions

No

data/props/extractions/{name} Knowledge
Manage specific props.conf file field extraction

No

data/props/fieldaliases Knowledge
Access props.conf file field aliases

No

data/props/fieldaliases/{name} Knowledge
Manage specific props.conf file field alias

No

data/props/lookups Knowledge
Access props.conf file automatic lookups

No

data/props/lookups/{name} Knowledge
Manage specific props.conf file automatic lookup

No

data/props/sourcetype-rename Knowledge
Access renamed sourcetypes configured in props.conf file

No

data/props/sourcetype-rename/{name} Knowledge
Manage specific props.conf file sourcetype name

No

data/transforms/extractions Knowledge
Access field extraction definitions

No

data/transforms/extractions/{name} Knowledge
Manage specific field extraction definition

No

data/transforms/lookups Knowledge
Access transforms.conf file lookup definitions

No

data/transforms/lookups/{name} Knowledge
Manage specific transforms.conf file lookup definition

No

datamodel/ URI Summary GET PUT POST DEL AUTH
datamodel/model Knowledge
Access information about data models

No

datamodel/model/{name} Knowledge
Access information about a data model

No

datamodel/acceleration Knowledge
[DEPRECATED] Access information about data models that have acceleration enabled

No

datamodel/acceleration/{name} Knowledge
[DEPRECATED] Access information about specific data models that has acceleration enabled

No

datamodel/pivot Knowledge
Access pivots based on named data models

No

deployment/ URI Summary GET PUT POST DEL AUTH
deployment/client Deployment
Access deployment client information

No

deployment/client/config Deployment
Access deployment client configuration

No

deployment/client/config/listIsDisabled Deployment
Access deployment client state information

No

deployment/client/config/reload Deployment
Access deployment client reload information

No

deployment/client/{name}/reload Deployment
Manage specific deployment client reload

No

deployment/server/applications Deployment
Access deployment server application and class information

No

deployment/server/applications/{name} Deployment
Manage specific server client application and class information

No

deployment/server/clients Deployment
Access deployment server client information

No

deployment/server/clients/countClients_by_machineType Deployment
Access deployment server client information by machine type

No

deployment/server/clients/countRecentDownloads Deployment
Access client download information

No

deployment/server/clients/{name} Deployment
Manage specific client

No

deployment/server/config Deployment
Access deployment server configuration

No

deployment/server/config/attributesUnsupportedInUI Deployment
Access deployment server attributes not available using Splunk Web

No

deployment/server/config/listIsDisabled Deployment
Access deployment server state

No

deployment/server/serverclasses Deployment
Access server class information

No

deployment/server/serverclasses/{name} Deployment
Manage specific server class of deployment server

No

deployment/server/serverclasses/rename Deployment
Manage server class name

No

directory/ URI Summary GET PUT POST DEL AUTH
directory Knowledge
Access user-configurable entities

No

directory/{name} Knowledge
Manage specific entity in directory service enumeration

No

indexing/ URI
Summary GET PUT POST DEL AUTH
indexing/preview Deployment
Preview events from a file before indexing

No

indexing/preview/{job_id} Inputs
Access props.conf file settings for specific data preview job

No

licenser/ URI
Summary GET PUT POST DEL AUTH
licenser/groups Licensing
Access licenser groups configuration

No

licenser/groups/{name} Licensing
Manage specific licenser group configuration

No

licenser/licenses Licensing
Access licenses

No

licenser/licenses/{name} Licensing
Manage specific license

No

licenser/localslave Licensing
Get information about relevant license state for the splunk instance.

Yes

licenser/messages Licensing
Access licenser messages

No

licenser/messages/{name} Licensing
Access specific licenser message

No

licenser/pools Licensing
Access licenser pool information

No

licenser/pools/{name} Licensing
Manage specific licenser pool

No

licenser/slaves Licensing
Access license master slaves

No

licenser/slaves/{name} Licensing
Access specific license master slave

No

licenser/stacks Licensing
Access license stack configuration

No

licenser/stacks/{name} Licensing
Access specific license stack configuration

No

messages/ URI
Summary GET PUT POST DEL AUTH
messages System
Manage system messages

No

messages/{name} System
Manage specific system message

No

properties/ URI
Summary GET PUT POST DEL AUTH
properties Configuration
Access configuration files

No

properties/{file_name} Configuration
Manage specific configuration file

No

properties/{file_name}/{stanza_name} Configuration
Manage specific configuration file stanzas

No

properties/{file_name}/{stanza_name}/{key_name} Configuration
Manage specific stanza in specific configuration file

No

receivers/ URI
Summary GET PUT POST DEL AUTH
receivers/simple Inputs
Use HTTP to send events

No

receivers/stream Inputs
Use socket to stream events

No

saved/ URI
Summary GET PUT POST DEL AUTH
saved/eventtypes Knowledge
Manage saved event types

No

saved/eventtypes/{name} Knowledge
Manage specific saved event type

No

saved/searches Search
Manage saved searches configuration

No

saved/searches/{name} Search
Manage specific saved search

No

saved/searches/{name}/acknowledge Search
Manage saved search alerting

No

saved/searches/{name}/dispatch Search
Dispatch saved search

No

saved/searches/{name}/history Search
Access saved search job history

No

saved/searches/{name}/reschedule Search
Manage saved search job scheduling

No

saved/searches/{name}/scheduled_times Search
Access saved search scheduled times

No

saved/searches/{name}/suppress Search
Access saved search alerting state

No

scheduled/ URI Summary GET PUT POST DEL AUTH
scheduled/views Search
Access scheduled views for PDF delivery

No

scheduled/views/{name} Search
Manage specific scheduled view

No

scheduled/views/{name}/dispatch Search
Dispatch search for specific scheduled view

No

scheduled/views/{name}/history Search
Access specific scheduled view job history

No

scheduled/views/{name}/reschedule Search
Manage scheduled view scheduling

No

scheduled/views/{name}/scheduled_times Search
Access specific scheduled view times

No

search/ URI Summary GET PUT POST DEL AUTH
search/distributed/bundle-replication-files Deployment
Access distributed search bundle replication files

No

search/distributed/bundle-replication-files/{name} Deployment
Access specific search bundle replication file

No

search/distributed/config Deployment
Access distributed search options

No

search/distributed/peers Deployment
Manage distributed server peers

No

search/distributed/peers/{name} Deployment
Manage distributed server peers

No

search/fields Knowledge
Access search field configuration

No

search/fields/{field_name} Knowledge
Access specific search field configuration

No

search/fields/{field_name}/tags Knowledge
Manage tags associated with specific search field

No

search/jobs Search
Manage search jobs

No

search/jobs/{search_id} Search
Manage specific search job

No

search/jobs/{search_id}/control Search
Execute job control command for specific search

No

search/jobs/{search_id}/events Search
Access events for specific search

No

search/jobs/{search_id}/results Search
Access results of specific search

No

search/jobs/{search_id}/results_preview Search
Access preview results for specific search

No

search/jobs/{search_id}/search.log Search
Access search.log file for specific search

No

search/jobs/{search_id}/summary Search
Access getFieldsAndStats output of so-far-read events

No

search/jobs/{search_id}/timeline Search
Access event distribution over time

No

search/jobs/export Search
Stream search results

No

search/parser Search
Access search language parsing services

No

search/tags Knowledge
Access search time tags

No

search/tags/{tag_name} Knowledge
Manage specific search time tag

No

search/timeparser Search
Parse time argument

No

search/typeahead Search
Suggest search string auto-completion strings

No

server/ URI Summary GET PUT POST DEL AUTH
server/control System
Access server controls

No

server/control/restart System
Restart Splunk Enterprise splunkd server daemon.

No

server/control/restart_webui System
Restart Splunk Enterprise splunkweb Web interface process.

No

server/info Introspection
Access server configuration

No

server/introspection Introspection
List introspection resources

No

server/introspection/indexer Introspection
Get indexer status

No

server/introspection/kvstore Introspection
List app kvstore status resources

No

server/introspection/kvstore/collectionstats Introspection
Get storage statistics for a collection.

No

server/introspection/kvstore/replicasetstats Introspection
Get the status of the replica set from the point of view of the current server.

No

server/introspection/kvstore/serverstatus Introspection
Get an overview of the database process state.

No

server/logger System
Access logging categories

No

server/logger/{name} System
Manage specific logging category

No

server/roles System
Access server configuration

No

server/settings System
Access server configuration

No

server/status Introspection
Access system status information

No

server/status/dispatch-artifacts Introspection
Access search job information

No

server/status/fishbucket Introspection
Access information about the private BTree database

No

server/status/limits/search-concurrency Introspection
Access search concurrency metrics

No

server/status/partitions-space Introspection
Access disk utilization information

No

server/status/resource-usage Introspection
Access current resource utilization information

No

server/status/resource-usage/hostwide Introspection
Access host-level resource utilization information

No

server/status/resource-usage/splunk-processes Introspection
Access operating system resource utilization information

No

shcluster/ URI
Summary GET PUT POST DEL AUTH
shcluster/captain/artifacts Clusters
Get artifact configuration information for a cluster captain node.

No

shcluster/captain/artifacts/{name} Clusters
Get artifact configuration information for {name} node.

No

shcluster/captain/info Clusters
Access information about searchhead cluster captain node.

No

shcluster/captain/jobs Clusters
List running and recently finished jobs for all cluster members.

No

shcluster/captain/jobs/{name} Clusters
Get running and recently finished jobs for {name} cluster.

No

shcluster/captain/members Clusters
List cluster members.

No

shcluster/captain/members/{name} Clusters
Get information about the {name} searchhead cluster member.

No

shcluster/config Clusters
List searchhead cluster node configuration.

No

shcluster/member/artifacts Clusters
Get searchhead cluster member artifact configuration.

No

shcluster/member/artifacts/{name} Clusters
Get {name} member artifact configuration.

No

shcluster/member/consensus Clusters
Get latest cluster configuration from the raft consensus protocol.

No

shcluster/member/info Clusters
Get searchhead cluster member node information.

No

storage/ URI Summary GET PUT POST DEL AUTH
storage/passwords Access control
Manage authentication credentials

No

storage/passwords/{name} Access control
Manage specific authentication credential

No

storage/collections URI Summary GET PUT POST DEL AUTH
storage/collections/config KV store
Create or list connections.

No

storage/collections/config/{collection} KV store
Manage a specific collection.

No

storage/collections/data/{collection} KV store
Manage items of a collection.

No

storage/collections/data/{collection}/{id} KV store
Manage a specific item of a collection.

No

storage/collections/data/{collection}/batch_save KV store
Perform multiple save operations.

No

Access endpoints

Access endpoint descriptions

Manage user authentication credentials.

auth/login


https://<host>:<mPort>/services/auth/login

Authentication: Not required

Description

Get a session ID for use in subsequent API calls that require authentication.

See also
Method summary
Method Description Formats
POST Get a session ID for use in subsequent API calls that require authentication. XML, JSON

POST auth/login method detail

Example

Request parameters
Name Datatype Default Description
password
required
String Current username password.
username
required
String Authenticated session owner name.
Response data keys
Name Description
sessionKey Session ID.

Note: Only a <response> element is returned, instead of the full <atom> feed.

Application usage

The splunkd server supports token-based authentication using the standard HTTP authorization header. Before you can access Splunk Enterprise resources, you must authenticate with the splunkd server using your username and password.

Failure to authenticate returns the following response:

<response>

<messages>
   <msg type="WARN">Login failed</msg>
 </messages>

</response>

Obtain a session ID to be used in the authorization header of subsequent REST API calls that require authentication.

[ Top ]



authentication/current-context


https://<host>:<mPort>/services/authentication/current-context

Authentication: Not required

Description

Get the the authenticated session owner username.

See also
Method summary
Method Description Formats
GET Get the user information for the current context. XML, JSON

GET authentication/current-context method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
capabilities List of capabilities assigned to role.
defaultApp Default app for the user, which is invoked at login.
defaultAppIsUserOverride Default app override indicates:
true = Default app overrides the user role default app.
false = Default app does not override the user role default app.
defaultAppSourceRole The role that determines the default app for the user, if the user has multiple roles.
email User email address.
password User password.
realname User full name.
restart_background_jobs Restart background search job that has not completed when Splunk Enterprise restarts indication:
true = Restart job.
false = Do not restart job.
roles Roles assigned to the user.
type User authentication system type:
  • LDAP
  • Scripted
  • Splunk
  • System (reserved for system user)
tz User timezone.
username Authenticated session owner name.
Application usage

Use this endpoint in a search command to get the current user:


... rest /services/authentication/current-context/context | fields + username ...

[ Top ]



authentication/httpauth-tokens


https://<host>:<mPort>/services/authentication/httpauth-tokens

Authentication: Not required

Description

List currently active session IDs and users.

See also
Method summary
Method Description Formats
GET List currently active session IDs/users. XML, JSON

GET authentication/httpauth-tokens method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
authString Unique identifier for this session.
searchId Search ID associated with the session, if it was created for a search job. If it is a login-type session, the value is empty.
timeAccessed Last time the session was touched.
userName Username associated with the session.
Application usage

The session ID token is valid for the duration of the web session.

Search command example:


| rest /services/authentication/httpauth-tokens | search (NOT userName="splunk-system-user") searchId="" | table userName splunk_server timeAccessed


[ Top ]



authentication/httpauth-tokens/{name}


https://<host>:<mPort>/services/authentication/httpauth-tokens/<name>

Authentication: Not required

Description

Get or delete the {name} session, where {name} is the session ID returned by auth/login.

See also
Method summary
Method Description Formats
DELETE Delete the session associated with this session ID. XML, JSON
GET Get session information. XML, JSON

DELETE authentication/httpauth-tokens/{name} method detail

Example

Request parameters

None

Response data keys

None


GET authentication/httpauth-tokens/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
authString Unique session identifier.
searchId Session search ID, if it is a search job session. The value is blank for a login-type session.
timeAccessed Last time the session was touched.


userName Username associated with the session.

[ Top ]



authentication/users


https://<host>:<mPort>/services/authentication/users

Authentication: Not required

Description

Create a user and list current users.

See also
Method summary
Method Description Formats
GET List registered users. XML, JSON
POST Create a user. XML, JSON

GET authentication/users method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
capabilities List of capabilities assigned to role.
defaultApp Default app for the user, which is invoked at login.
defaultAppIsUserOverride Default app override indicates:
true = Default app overrides the user role default app.
false = Default app does not override the user role default app.
defaultAppSourceRole The role that determines the default app for the user, if the user has multiple roles.
email User email address.
password User password.
realname User full name.
restart_background_jobs Restart background search job that has not completed when Splunk Enterprise restarts indication:
true = Restart job.
false = Do not restart job.
roles Roles assigned to the user.
type User authentication system type:
  • LDAP
  • Scripted
  • Splunk
  • System (reserved for system user)
tz User timezone.

POST authentication/users method detail

Example

Request parameters
Name Datatype Default Description
createrole String Role to create for user.
defaultApp String User default app. This overrides the default app inherited from the user roles.
email String User email address.
force-change-pass Boolean Force user to change password indication:
true = Force password change.
false = Do not force password change.
name
required
String Unique user login name.
password
required
String User login password.
realname String Full user name.
restart_background_jobs Boolean Restart background search job that has not completed when Splunk Enterprise restarts indication:
true = Restart job.
false = Do not restart job.
roles
required
String User role. To assign multiple roles to the user, use multiple roles parameters. At least one role is required.
tz String User timezone.
Response data keys

None

Application usage

When creating a user you must specify at least one role. You can specify one or more roles with the roles parameter, or you can use the createrole parameter to create a role for the user.

Either use roles to specify one or more roles or use createrole to create a role. After creating the role, you can edit the role to indicate the user access level.


[ Top ]



authentication/users/{name}


https://<host>:<mPort>/services/authentication/users/<name>

Authentication: Not required

Description

Get, update, or delete the {name} user.

See also

List of available capabilities

Method summary
Method Description Formats
DELETE Remove the specified user from the system. XML, JSON
GET Return the specified user information. XML, JSON
POST Update the specified user information. XML, JSON

DELETE authentication/users/{name} method detail

Example

Request parameters

None

Response data keys

None


GET authentication/users/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
capabilities List of capabilities assigned to role.
defaultApp Default app for the user, which is invoked at login.
defaultAppIsUserOverride Default app override indicates:
true = Default app overrides the user role default app.
false = Default app does not override the user role default app.
defaultAppSourceRole The role that determines the default app for the user, if the user has multiple roles.
email User email address.
password User password.
realname User full name.
restart_background_jobs Restart background search job that has not completed when Splunk Enterprise restarts indication:
true = Restart job.
false = Do not restart job.
roles Roles assigned to the user.
type User authentication system type:
  • LDAP
  • Scripted
  • Splunk
  • System (reserved for system user)
tz User timezone.
Application usage

{name} is not case-sensitive.



POST authentication/users/{name} method detail

Example

Request parameters
Name Datatype Default Description
createrole String Role to create for user.
defaultApp String User default app. This overrides the default app inherited from the user roles.
email String User email address.
force-change-pass Boolean Force user to change password indication:
true = Force password change.
false = Do not force password change.
name
required
String Unique user login name.
password
required
String User login password.
realname String Full user name.
restart_background_jobs Boolean Restart background search job that has not completed when Splunk Enterprise restarts indication:
true = Restart job.
false = Do not restart job.
roles
required
String User role. To assign multiple roles to the user, use multiple roles parameters. At least one role is required.
tz String User timezone.
Response data keys
Name Description
capabilities List of capabilities assigned to role.
defaultApp Default app for the user, which is invoked at login.
defaultAppIsUserOverride Default app override indicates:
true = Default app overrides the user role default app.
false = Default app does not override the user role default app.
defaultAppSourceRole The role that determines the default app for the user, if the user has multiple roles.
email User email address.
password User password.
realname User full name.
restart_background_jobs Restart background search job that has not completed when Splunk Enterprise restarts indication:
true = Restart job.
false = Do not restart job.
roles Roles assigned to the user.
type User authentication system type:
  • LDAP
  • Scripted
  • Splunk
  • System (reserved for system user)
tz User timezone.

[ Top ]



authorization/capabilities


https://<host>:<mPort>/services/authorization/capabilities

Authentication: Not required

Description

Get a list of all capabilities.

Method summary
Method Description Formats
GET List system capabiilities. XML, JSON

GET authorization/capabilities method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
capabilities List of capabilities assigned to role.

[ Top ]



authorization/roles


https://<host>:<mPort>/services/authorization/roles

Authentication: Not required

Description

Create a role or get a list of defined roles with role permissions.

See also
Method summary
Method Description Formats
GET List all roles and the permissions for each role. XML, JSON
POST Create a user role. XML, JSON

GET authorization/roles method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
capabilities List of capabilities assigned to role.

The Securing Splunk manual describes List of available capabilities.

cumulativeRTSrchJobsQuota Maximum number of concurrently running real-time searches for all role members. Warning message logged when limit is reached.
cumulativeSrchJobsQuota Maximum number of concurrently running searches for all role members. Warning message logged when limit is reached.
defaultApp The name of the app to use as the default app for this role.

A user-specific default app overrides this.

imported_capabilities List of capabilities assigned to role made available from imported roles.
imported_roles List of imported roles for this role.

Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is value with the broadest permissions.

imported_rtSrchJobsQuota The maximum number of concurrent real time search jobs for this role. This count is independent from the normal search jobs limit.

imported_rtSrchJObsQuota specifies the quota imported from other roles.

imported_srchDiskQuota The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.

imported_srchDiskQuota specifies the quota for this role that have imported from other roles.

imported_srchFilter Search string, imported from other roles, that restricts the scope of searches run by this role.

Search results for this role only show events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR.

imported_srchIndexesAllowed A list of indexes, imported from other roles, this role has permissions to search.
imported_srchIndexesDefault A list of indexes, imported from other roles, that this role defaults to when no index is specified in a search.
imported_srchJobsQuota The maximum number of historical searches for this role that are imported from other roles.
imported_srchTimeWin Maximum time span of a search, in seconds.

0 indicates searches are not limited to any specific time window.

imported_srchTimeWin specifies the limit from imported roles.

rtSrchJobsQuota The maximum number of concurrent real time search jobs for this role. This count is independent from the normal search jobs limit.
srchDiskQuota The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.
srchFilter Search string that restricts the scope of searches run by this role.

Search results for this role only show events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR.

srchIndexesAllowed A list of indexes this role has permissions to search.
srchIndexesDefault List of search indexes that default to this role when no index is specified.
srchJobsQuota The maximum number of concurrent real time search jobs for this role.

This count is independent from the normal search jobs limit.

srchTimeWin Maximum time span of a search, in seconds.

0 indicates searches are not limited to any specific time window.


POST authorization/roles method detail

Example

Request parameters
Name Datatype Default Description
capabilities String List of capabilities assigned to role. To send multiple capabilities, send this argument multiple times.

Roles inherit all capabilities from imported roles.

cumulativeRTSrchJobsQuota Number Maximum number of concurrently running real-time searches that all members of this role can have.

Note: If a user belongs to multiple roles then the user first consumes searches from the roles with the largest cumulative search quota. When the quota of a role is completely used up then roles with lower quotas are examined.

cumulativeSrchJobsQuota Number Maximum number of concurrently running searches for all role members. Warning message logged when limit is reached.

Note: If a user belongs to multiple roles then the user first consumes searches from the roles with the largest cumulative search quota. When the quota of a role is completely used up then roles with lower quotas are examined.

defaultApp String Specify the name of the app to use as the default app for the role.A user-specific default app overrides this.

The name you specify is the name of the folder containing the app.

imported_roles String Specify a role to import attributes from. Specify many of these separately to import multiple roles. By default a role imports no other roles.

Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is value with the broadest permissions.

Default Splunk Enterprise roles are:

  • admin
  • can_delete
  • power
  • user

You can specify additional roles created.

name
required
String The name of the user role to create.
rtSrchJobsQuota Number Specify the maximum number of concurrent real time search jobs for this role.

This count is independent from the normal search jobs limit.

srchDiskQuota Number Specifies the maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.
srchFilter String Specify a search string that restricts the scope of searches run by this role. Search results for this role only show events that also match the search string you specify. In the case that a user has multiple roles with different search filters, they are combined with an OR.

The search string can include source, host, index, eventtype, sourcetype, search fields, *, OR and, AND.

Example: "host=web* OR source=/var/log/*"

Note: You can also use the srchIndexesAllowed and srchIndexesDefault parameters to limit the search on indexes.

srchIndexesAllowed String An index this role has permissions to search. To set several of these, pass this argument several times. These may be wildcarded, but the index name must begin with an underscore to match internal indexes.

Search indexes available by default from Splunk Enterprise include:

  • All internal indexes
  • All non-internal indexes
  • _audit
  • _blocksignature
  • _internal
  • _thefishbucket
  • history
  • main

You can also specify other search indexes added to the server.

srchIndexesDefault String For this role, indexes to search when no index is specified.

These indexes can be wildcarded, with the exception that '*' does not match internal indexes. To match internal indexes, start with '_'. All internal indexes are represented by '_*'.

A user with this role can search other indexes using "index= "

For example, "index=special_index".

Search indexes available by default from Splunk Enterprise include:

  • All internal indexes
  • All non-internal indexes
  • _audit
  • _blocksignature
  • _internal
  • _thefishbucket
  • history
  • main
  • other search indexes added to the server
srchJobsQuota Number The maximum number of concurrent searches a user with this role is allowed to run. In the event of many roles per user, the maximum of these quotas is applied.
srchTimeWin Number Maximum time span of a search, in seconds.

By default, searches are not limited to any specific time window. To override any search time windows from imported roles, set srchTimeWin to '0', as the 'admin' role does.

Response data keys

None

[ Top ]



authorization/roles/{name}


https://<host>:<mPort>/services/authorization/roles/<name>

Authentication: Not required

Description

Create, delete, or get a list properties of the {name} role.

See also

List of available capabilities

Method summary
Method Description Formats
DELETE Delete the specified role. XML, JSON
GET Get the specified role permissions. XML, JSON
POST Create/update the specified role. XML, JSON

DELETE authorization/roles/{name} method detail

Example

Request parameters

None

Response data keys

None


GET authorization/roles/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
capabilities List of capabilities assigned to role.

The Securing Splunk manual describes all capabilities.

cumulativeRTSrchJobsQuota Maximum number of concurrently running real-time searches for all role members. Warning message logged when limit is reached.
cumulativeSrchJobsQuota Maximum number of concurrently running searches for all role members. Warning message logged when limit is reached.
defaultApp The name of the app to use as the default app for this role.

A user-specific default app overrides this.

imported_capabilities List of capabilities assigned to role that were made available from imported roles.
imported_roles List of imported roles for this role.

Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is value with the broadest permissions.

imported_rtSrchJobsQuota The maximum number of concurrent real time search jobs for this role. This count is independent from the normal search jobs limit.

imported_rtSrchJObsQuota specifies the quota imported from other roles.

imported_srchDiskQuota The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.

imported_srchDiskQuota specifies the quota for this role that have imported from other roles.

imported_srchFilter Search string, imported from other roles, that restricts the scope of searches run by this role.

Search results for this role only show events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR.

imported_srchIndexesAllowed A list of indexes, imported from other roles, this role has permissions to search.
imported_srchIndexesDefault A list of indexes, imported from other roles, that this role defaults to when no index is specified in a search.
imported_srchJobsQuota The maximum number of historical searches for this role that are imported from other roles.
imported_srchTimeWin Maximum time span of a search, in seconds.

0 indicates searches are not limited to any specific time window.

imported_srchTimeWin specifies the limit from imported roles.

rtSrchJobsQuota The maximum number of concurrent real time search jobs for this role. This count is independent from the normal search jobs limit.
srchDiskQuota The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.
srchFilter Search string that restricts the scope of searches run by this role.

Search results for this role only show events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR.

srchIndexesAllowed A list of indexes this role has permissions to search.
srchIndexesDefault List of search indexes that default to this role when no index is specified.
srchJobsQuota The maximum number of concurrent real time search jobs for this role.

This count is independent from the normal search jobs limit.

srchTimeWin Maximum time span of a search, in seconds.

0 indicates searches are not limited to any specific time window.


POST authorization/roles/{name} method detail

Example

Request parameters
Name Datatype Default Description
capabilities String List of capabilities assigned to role. To send multiple capabilities, send this argument multiple times.

Roles inherit all capabilities from imported roles. For more information, refer to About defining roles with capabilities.

cumulativeRTSrchJobsQuota Number Maximum number of concurrently running real-time searches that all members of this role can have.

Note: If a user belongs to multiple roles then the user first consumes searches from the roles with the largest cumulative search quota. When the quota of a role is completely used up then roles with lower quotas are examined.

cumulativeSrchJobsQuota Number Maximum number of concurrently running searches for all role members. Warning message logged when limit is reached.

Note: If a user belongs to multiple roles then the user first consumes searches from the roles with the largest cumulative search quota. When the quota of a role is completely used up then roles with lower quotas are examined.

defaultApp String Specify the name of the app to use as the default app for the role.A user-specific default app overrides this.

The name you specify is the name of the folder containing the app.

imported_capabilities String TBD
imported_roles String Specify a role to import attributes from. Specify many of these separately to import multiple roles. By default a role imports no other roles.

Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is value with the broadest permissions.

Default Splunk Enterprise roles are:

  • admin
  • can_delete
  • power
  • user

You can specify additional roles created.

imported_rtSrchJobsQuota String TBD
imported_srchDiskQuota String TBD
imported_srchFilter String TBD
imported_srchIndexesAllowed String TBD
imported_srchIndexesDefault String TBD
imported_srchJobsQuota String TBD
imported_srchTimeWin String TBD
rtSrchJobsQuota Number Specify the maximum number of concurrent real time search jobs for this role.

This count is independent from the normal search jobs limit.

srchDiskQuota Number Specifies the maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.
srchFilter String Specify a search string that restricts the scope of searches run by this role. Search results for this role only show events that also match the search string you specify. In the case that a user has multiple roles with different search filters, they are combined with an OR.

The search string can include source, host, index, eventtype, sourcetype, search fields, *, OR and, AND.

Example: "host=web* OR source=/var/log/*"

Note: You can also use the srchIndexesAllowed and srchIndexesDefault parameters to limit the search on indexes.

srchIndexesAllowed String An index this role has permissions to search. To set several of these, pass this argument several times. These may be wildcarded, but the index name must begin with an underscore to match internal indexes.

Search indexes available by default from Splunk Enterprise include:

  • All internal indexes
  • All non-internal indexes
  • _audit
  • _blocksignature
  • _internal
  • _thefishbucket
  • history
  • main

You can also specify other search indexes added to the server.

srchIndexesDefault String For this role, indexes to search when no index is specified.

These indexes can be wildcarded, with the exception that '*' does not match internal indexes. To match internal indexes, start with '_'. All internal indexes are represented by '_*'.

A user with this role can search other indexes using "index= "

For example, "index=special_index".

Search indexes available by default from Splunk Enterprise include:

  • All internal indexes
  • All non-internal indexes
  • _audit
  • _blocksignature
  • _internal
  • _thefishbucket
  • history
  • main
  • other search indexes added to the server
srchJobsQuota Number The maximum number of concurrent searches a user with this role is allowed to run. In the event of many roles per user, the maximum of these quotas is applied.
srchTimeWin Number Maximum time span of a search, in seconds.

By default, searches are not limited to any specific time window. To override any search time windows from imported roles, set srchTimeWin to '0', as the 'admin' role does.

Response data keys

None

[ Top ]



storage/passwords


https://<host>:<mPort>/services/storage/passwords

Authentication: Not required

Description

Create or update user credentials, or list credentials for all users.

Method summary
Method Description Formats
GET List available credentials. XML, JSON
POST Create/update new credentials. XML, JSON

GET storage/passwords method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
clear_password Clear text password.
encr_password Encrypted, stored password.
password Password mask, always ********.
realm Realm in which credentials are valid.
username User name associated with credentials.
Application usage

Only admin-level users can access this endpoint.

The password is encrypted with a secure key resident on the same server.



POST storage/passwords method detail

Example

Request parameters
Name Datatype Default Description
name
required
String Credentials user name.
password
required
String Credentials user password.
realm String Credentials realm.
Response data keys
Name Description
clear_password Clear text password.
encr_password Encrypted, stored password.
password Password mask, always ********.
realm Realm in which credentials are valid.
username User name associated with credentials.
Application usage

The password credential is the only part of the user credentials that is stored securely.


[ Top ]



storage/passwords/{name}


https://<host>:<mPort>/services/storage/passwords/<name>

Authentication: Not required

Description

Update, delete, or list credentials for the {name} user.

Method summary
Method Description Formats
DELETE Delete the specified user credentials. XML, JSON
GET Get the specified user credentials. XML, JSON
POST Update the specified user credentials. XML, JSON

DELETE storage/passwords/{name} method detail

Example

Request parameters

None

Response data keys

None

The {name} part of the URL must be bounded by the colon ( : ) symbol.

Example:


/services/storage/passwords/:uname:



GET storage/passwords/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
clear_password Clear text password.
encr_password Encrypted, stored password.
password Password mask, always ********.
realm Realm in which credentials are valid.
username User name associated with credentials.

POST storage/passwords/{name} method detail

Example

Request parameters
Name Datatype Default Description
password String User password credential.
Response data keys
Name Description
clear_password Clear text password.
encr_password Encrypted, stored password.
password Password mask, always ********.
realm Realm in which credentials are valid.
username User name associated with credentials.
Application usage

The password credential is the only part of the user credentials that is stored securely.

[ Top ]

Access endpoint examples

auth/login POST

XML
XML Request

curl -k -u admin:changeme  https://localhost:8089/services/auth/login -d <span style="color: #19177C">username</span><span style="color: #666666">=</span>admin -d <span style="color: #19177C">password</span><span style="color: #666666">=</span>changeme
XML Response

<response>

<sessionKey>192fd3e46a31246da7ea7f109e7f95fd</sessionKey>

</response>


authentication/current-context GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/current-context
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>current-context</title>
 <id>https://localhost:8089/services/authentication/current-context</id>
 <updated>2014-06-30T11:26:19-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>context</title>
   <id>https://localhost:8089/services/authentication/current-context/context</id>
   <updated>2014-06-30T11:26:19-07:00</updated>
   <link href="/services/authentication/current-context/context" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/current-context/context" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">1</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="email">changeme@example.com</s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname">Administrator</s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
       <s:key name="username">admin</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


authentication/httpauth-tokens GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/httpauth-tokens
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>httpauth-tokens</title>
 <id>https://localhost:8089/services/authentication/httpauth-tokens</id>
 <updated>2014-06-30T11:28:04-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>2</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>15a773187d3e4437cbe9809f41f23d8f</title>
   <id>https://localhost:8089/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f</id>
   <updated>2014-06-30T11:28:04-07:00</updated>
   <link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="list"/>
   <link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="authString">vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="searchId"></s:key>
       <s:key name="timeAccessed">Mon Jun 30 11:28:04 2014</s:key>
       <s:key name="userName">admin</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>694ef5bda40ae8c4f59626671b5f0c9a</title>
   <id>https://localhost:8089/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a</id>
   <updated>2014-06-30T11:28:04-07:00</updated>
   <link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="list"/>
   <link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="authString">1RU5vGFm2OPq29plLtvqlEB9xzPDLZ3AleUhE1bwPjIrKtvyLE4fODhs^TgI4_NamvVtqusj8GnnNxd5wBB1wT^qHXn1DOV7LcCvErpyTzOvISr^2TnKUC</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="searchId"></s:key>
       <s:key name="timeAccessed">Mon Jun 30 11:26:09 2014</s:key>
       <s:key name="userName">splunk-system-user</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


authentication/httpauth-tokens/{name} DELETE

XML
XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/authentication/httpauth-tokens/vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>httpauth-tokens</title>
 <id>https://localhost:8089/services/authentication/httpauth-tokens</id>
 <updated>2014-06-30T12:02:12-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>694ef5bda40ae8c4f59626671b5f0c9a</title>
   <id>https://localhost:8089/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a</id>
   <updated>2014-06-30T12:02:12-07:00</updated>
   <link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="list"/>
   <link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="authString">1RU5vGFm2OPq29plLtvqlEB9xzPDLZ3AleUhE1bwPjIrKtvyLE4fODhs^TgI4_NamvVtqusj8GnnNxd5wBB1wT^qHXn1DOV7LcCvErpyTzOvISr^2TnKUC</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="searchId"></s:key>
       <s:key name="timeAccessed">Mon Jun 30 11:42:31 2014</s:key>
       <s:key name="userName">splunk-system-user</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


authentication/httpauth-tokens/{name} GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/httpauth-tokens/vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>httpauth-tokens</title>
 <id>https://localhost:8089/services/authentication/httpauth-tokens</id>
 <updated>2014-06-30T11:39:52-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>15a773187d3e4437cbe9809f41f23d8f</title>
   <id>https://localhost:8089/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f</id>
   <updated>2014-06-30T11:39:52-07:00</updated>
   <link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="list"/>
   <link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="authString">vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="searchId"></s:key>
       <s:key name="timeAccessed">Mon Jun 30 11:39:52 2014</s:key>
       <s:key name="userName">admin</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


authentication/users GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/users
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>users</title>
 <id>https://localhost:8089/services/authentication/users</id>
 <updated>2014-06-30T12:27:48-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authentication/users/_new" rel="create"/>
 <opensearch:totalResults>2</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>admin</title>
   <id>https://localhost:8089/services/authentication/users/admin</id>
   <updated>2014-06-30T12:27:48-07:00</updated>
   <link href="/services/authentication/users/admin" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/users/admin" rel="list"/>
   <link href="/services/authentication/users/admin" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">1</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="email">changeme@example.com</s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname">Administrator</s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>user1</title>
   <id>https://localhost:8089/services/authentication/users/user1</id>
   <updated>2014-06-30T12:27:48-07:00</updated>
   <link href="/services/authentication/users/user1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/users/user1" rel="list"/>
   <link href="/services/authentication/users/user1" rel="edit"/>
   <link href="/services/authentication/users/user1" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">0</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="email"></s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname"></s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
     </s:dict>
   </content>
 </entry>

</feed>


authentication/users POST

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/users -d name=User1 -d password=changeme -d roles=admin
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>users</title>
 <id>https://localhost:8089/services/authentication/users</id>
 <updated>2014-06-30T12:18:19-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authentication/users/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>user1</title>
   <id>https://localhost:8089/services/authentication/users/user1</id>
   <updated>2014-06-30T12:18:19-07:00</updated>
   <link href="/services/authentication/users/user1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/users/user1" rel="list"/>
   <link href="/services/authentication/users/user1" rel="edit"/>
   <link href="/services/authentication/users/user1" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">0</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="email"></s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname"></s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
     </s:dict>
   </content>
 </entry>

</feed>


authentication/users/{name} DELETE

XML
XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/authentication/users/user1
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>users</title>
 <id>https://localhost:8089/services/authentication/users</id>
 <updated>2014-06-30T12:51:09-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authentication/users/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>admin</title>
   <id>https://localhost:8089/services/authentication/users/admin</id>
   <updated>2014-06-30T12:51:09-07:00</updated>
   <link href="/services/authentication/users/admin" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/users/admin" rel="list"/>
   <link href="/services/authentication/users/admin" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">1</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="email">changeme@example.com</s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname">Administrator</s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
     </s:dict>
   </content>
 </entry>

</feed>


authentication/users/{name} GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/users/user1
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>users</title>
 <id>https://localhost:8089/services/authentication/users</id>
 <updated>2014-06-30T12:39:18-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authentication/users/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>user1</title>
   <id>https://localhost:8089/services/authentication/users/user1</id>
   <updated>2014-06-30T12:39:18-07:00</updated>
   <link href="/services/authentication/users/user1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/users/user1" rel="list"/>
   <link href="/services/authentication/users/user1" rel="edit"/>
   <link href="/services/authentication/users/user1" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">0</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list>
               <s:item>defaultApp</s:item>
               <s:item>email</s:item>
               <s:item>force-change-pass</s:item>
               <s:item>password</s:item>
               <s:item>realname</s:item>
               <s:item>restart_background_jobs</s:item>
               <s:item>roles</s:item>
               <s:item>tz</s:item>
             </s:list>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="email"></s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname"></s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
     </s:dict>
   </content>
 </entry>

</feed>


authentication/users/{name} POST

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/users/user1 -d defaultApp=launcher
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>users</title>
 <id>https://localhost:8089/services/authentication/users</id>
 <updated>2014-06-30T12:45:23-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authentication/users/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>user1</title>
   <id>https://localhost:8089/services/authentication/users/user1</id>
   <updated>2014-06-30T12:45:23-07:00</updated>
   <link href="/services/authentication/users/user1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/users/user1" rel="list"/>
   <link href="/services/authentication/users/user1" rel="edit"/>
   <link href="/services/authentication/users/user1" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">1</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="email"></s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname"></s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
     </s:dict>
   </content>
 </entry>

</feed>


authorization/capabilities GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/authorization/capabilities
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>capabilities</title>
 <id>https://localhost:8089/services/authorization/capabilities</id>
 <updated>2014-06-30T12:56:35-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>capabilities</title>
   <id>https://localhost:8089/services/authorization/capabilities/capabilities</id>
   <updated>2014-06-30T12:56:35-07:00</updated>
   <link href="/services/authorization/capabilities/capabilities" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authorization/capabilities/capabilities" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>delete_by_keyword</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>use_file_operator</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>

</feed>


authorization/roles GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/authorization/roles
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>roles</title> <id>https://localhost:8089/services/authorization/roles</id> <updated>2014-06-30T13:12:17-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <link href="/services/authorization/roles/_new" rel="create"/> <opensearch:totalResults>5</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>admin</title> <id>https://localhost:8089/services/authorization/roles/admin</id> <updated>2014-06-30T13:12:17-07:00</updated> <link href="/services/authorization/roles/admin" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/authorization/roles/admin" rel="list"/> <link href="/services/authorization/roles/admin" rel="edit"/> <link href="/services/authorization/roles/admin" rel="remove"/> <content type="text/xml"> <s:dict> <s:key name="capabilities"> <s:list> <s:item>accelerate_datamodel</s:item> <s:item>admin_all_objects</s:item> <s:item>change_authentication</s:item> <s:item>edit_deployment_client</s:item> <s:item>edit_deployment_server</s:item> <s:item>edit_dist_peer</s:item> <s:item>edit_forwarders</s:item> <s:item>edit_httpauths</s:item> <s:item>edit_input_defaults</s:item> <s:item>edit_monitor</s:item> <s:item>edit_roles</s:item> <s:item>edit_scripted</s:item> <s:item>edit_search_server</s:item> <s:item>edit_server</s:item> <s:item>edit_splunktcp</s:item> <s:item>edit_splunktcp_ssl</s:item> <s:item>edit_tcp</s:item> <s:item>edit_udp</s:item> <s:item>edit_user</s:item> <s:item>edit_view_html</s:item> <s:item>edit_web_settings</s:item> <s:item>edit_win_admon</s:item> <s:item>edit_win_eventlogs</s:item> <s:item>edit_win_perfmon</s:item> <s:item>edit_win_regmon</s:item> <s:item>edit_win_wmiconf</s:item> <s:item>get_diag</s:item> <s:item>indexes_edit</s:item> <s:item>license_edit</s:item> <s:item>license_tab</s:item> <s:item>list_deployment_client</s:item> <s:item>list_deployment_server</s:item> <s:item>list_forwarders</s:item> <s:item>list_httpauths</s:item> <s:item>list_pdfserver</s:item> <s:item>list_win_localavailablelogs</s:item> <s:item>rest_apps_management</s:item> <s:item>restart_splunkd</s:item> <s:item>run_debug_commands</s:item> <s:item>write_pdfserver</s:item> </s:list> </s:key> <s:key name="cumulativeRTSrchJobsQuota">400</s:key> <s:key name="cumulativeSrchJobsQuota">200</s:key> <s:key name="defaultApp"></s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="imported_capabilities"> <s:list> <s:item>accelerate_search</s:item> <s:item>change_own_password</s:item> <s:item>embed_report</s:item> <s:item>get_metadata</s:item> <s:item>get_typeahead</s:item> <s:item>input_file</s:item> <s:item>list_inputs</s:item> <s:item>output_file</s:item> <s:item>request_remote_tok</s:item> <s:item>rest_apps_view</s:item> <s:item>rest_properties_get</s:item> <s:item>rest_properties_set</s:item> <s:item>rtsearch</s:item> <s:item>schedule_rtsearch</s:item> <s:item>schedule_search</s:item> <s:item>search</s:item> </s:list> </s:key> <s:key name="imported_roles"> <s:list> <s:item>power</s:item> <s:item>user</s:item> </s:list> </s:key> <s:key name="imported_rtSrchJobsQuota">20</s:key> <s:key name="imported_srchDiskQuota">500</s:key> <s:key name="imported_srchFilter"></s:key> <s:key name="imported_srchIndexesAllowed"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="imported_srchIndexesDefault"> <s:list> <s:item>main</s:item> </s:list> </s:key> <s:key name="imported_srchJobsQuota">10</s:key> <s:key name="imported_srchTimeWin">-1</s:key> <s:key name="rtSrchJobsQuota">100</s:key> <s:key name="srchDiskQuota">10000</s:key> <s:key name="srchFilter">*</s:key> <s:key name="srchIndexesAllowed"> <s:list> <s:item>*</s:item> <s:item>_*</s:item> </s:list> </s:key> <s:key name="srchIndexesDefault"> <s:list> <s:item>main</s:item> <s:item>os</s:item> </s:list> </s:key> <s:key name="srchJobsQuota">50</s:key> <s:key name="srchTimeWin">0</s:key> </s:dict> </content> </entry> <entry> <title>can_delete</title> <id>https://localhost:8089/services/authorization/roles/can_delete</id> <updated>2014-06-30T13:12:17-07:00</updated> <link href="/services/authorization/roles/can_delete" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/authorization/roles/can_delete" rel="list"/> <link href="/services/authorization/roles/can_delete" rel="edit"/> <link href="/services/authorization/roles/can_delete" rel="remove"/> <content type="text/xml"> <s:dict> <s:key name="capabilities"> <s:list> <s:item>delete_by_keyword</s:item> <s:item>schedule_rtsearch</s:item> </s:list> </s:key> <s:key name="cumulativeRTSrchJobsQuota">0</s:key> <s:key name="cumulativeSrchJobsQuota">0</s:key> <s:key name="defaultApp"></s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="imported_capabilities"> <s:list/> </s:key> <s:key name="imported_roles"> <s:list/> </s:key> <s:key name="imported_rtSrchJobsQuota">0</s:key> <s:key name="imported_srchDiskQuota">0</s:key> <s:key name="imported_srchFilter"></s:key> <s:key name="imported_srchIndexesAllowed"> <s:list/> </s:key> <s:key name="imported_srchIndexesDefault"> <s:list/> </s:key> <s:key name="imported_srchJobsQuota">0</s:key> <s:key name="imported_srchTimeWin">-1</s:key> <s:key name="rtSrchJobsQuota">6</s:key> <s:key name="srchDiskQuota">100</s:key> <s:key name="srchFilter"></s:key> <s:key name="srchIndexesAllowed"> <s:list/> </s:key> <s:key name="srchIndexesDefault"> <s:list/> </s:key> <s:key name="srchJobsQuota">3</s:key> <s:key name="srchTimeWin">-1</s:key> </s:dict> </content> </entry> <entry> <title>power</title> <id>https://localhost:8089/services/authorization/roles/power</id> <updated>2014-06-30T13:12:17-07:00</updated> <link href="/services/authorization/roles/power" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/authorization/roles/power" rel="list"/> <link href="/services/authorization/roles/power" rel="edit"/> <link href="/services/authorization/roles/power" rel="remove"/> <content type="text/xml"> <s:dict> <s:key name="capabilities"> <s:list> <s:item>embed_report</s:item> <s:item>rtsearch</s:item> <s:item>schedule_search</s:item> </s:list> </s:key> <s:key name="cumulativeRTSrchJobsQuota">200</s:key> <s:key name="cumulativeSrchJobsQuota">100</s:key> <s:key name="defaultApp"></s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="imported_capabilities"> <s:list> <s:item>accelerate_search</s:item> <s:item>change_own_password</s:item> <s:item>get_metadata</s:item> <s:item>get_typeahead</s:item> <s:item>input_file</s:item> <s:item>list_inputs</s:item> <s:item>output_file</s:item> <s:item>request_remote_tok</s:item> <s:item>rest_apps_view</s:item> <s:item>rest_properties_get</s:item> <s:item>rest_properties_set</s:item> <s:item>schedule_rtsearch</s:item> <s:item>search</s:item> </s:list> </s:key> <s:key name="imported_roles"> <s:list> <s:item>user</s:item> </s:list> </s:key> <s:key name="imported_rtSrchJobsQuota">6</s:key> <s:key name="imported_srchDiskQuota">100</s:key> <s:key name="imported_srchFilter"></s:key> <s:key name="imported_srchIndexesAllowed"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="imported_srchIndexesDefault"> <s:list> <s:item>main</s:item> </s:list> </s:key> <s:key name="imported_srchJobsQuota">3</s:key> <s:key name="imported_srchTimeWin">-1</s:key> <s:key name="rtSrchJobsQuota">20</s:key> <s:key name="srchDiskQuota">500</s:key> <s:key name="srchFilter"></s:key> <s:key name="srchIndexesAllowed"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="srchIndexesDefault"> <s:list> <s:item>main</s:item> </s:list> </s:key> <s:key name="srchJobsQuota">10</s:key> <s:key name="srchTimeWin">-1</s:key> </s:dict> </content> </entry> <entry> <title>splunk-system-role</title> <id>https://localhost:8089/services/authorization/roles/splunk-system-role</id> <updated>2014-06-30T13:12:17-07:00</updated> <link href="/services/authorization/roles/splunk-system-role" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/authorization/roles/splunk-system-role" rel="list"/> <link href="/services/authorization/roles/splunk-system-role" rel="edit"/> <link href="/services/authorization/roles/splunk-system-role" rel="remove"/> <content type="text/xml"> <s:dict> <s:key name="capabilities"> <s:list/> </s:key> <s:key name="cumulativeRTSrchJobsQuota">100</s:key> <s:key name="cumulativeSrchJobsQuota">50</s:key> <s:key name="defaultApp"></s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="imported_capabilities"> <s:list> <s:item>accelerate_datamodel</s:item> <s:item>accelerate_search</s:item> <s:item>admin_all_objects</s:item> <s:item>change_authentication</s:item> <s:item>change_own_password</s:item> <s:item>edit_deployment_client</s:item> <s:item>edit_deployment_server</s:item> <s:item>edit_dist_peer</s:item> <s:item>edit_forwarders</s:item> <s:item>edit_httpauths</s:item> <s:item>edit_input_defaults</s:item> <s:item>edit_monitor</s:item> <s:item>edit_roles</s:item> <s:item>edit_scripted</s:item> <s:item>edit_search_server</s:item> <s:item>edit_server</s:item> <s:item>edit_splunktcp</s:item> <s:item>edit_splunktcp_ssl</s:item> <s:item>edit_tcp</s:item> <s:item>edit_udp</s:item> <s:item>edit_user</s:item> <s:item>edit_view_html</s:item> <s:item>edit_web_settings</s:item> <s:item>edit_win_admon</s:item> <s:item>edit_win_eventlogs</s:item> <s:item>edit_win_perfmon</s:item> <s:item>edit_win_regmon</s:item> <s:item>edit_win_wmiconf</s:item> <s:item>embed_report</s:item> <s:item>get_diag</s:item> <s:item>get_metadata</s:item> <s:item>get_typeahead</s:item> <s:item>indexes_edit</s:item> <s:item>input_file</s:item> <s:item>license_edit</s:item> <s:item>license_tab</s:item> <s:item>list_deployment_client</s:item> <s:item>list_deployment_server</s:item> <s:item>list_forwarders</s:item> <s:item>list_httpauths</s:item> <s:item>list_inputs</s:item> <s:item>list_pdfserver</s:item> <s:item>list_win_localavailablelogs</s:item> <s:item>output_file</s:item> <s:item>request_remote_tok</s:item> <s:item>rest_apps_management</s:item> <s:item>rest_apps_view</s:item> <s:item>rest_properties_get</s:item> <s:item>rest_properties_set</s:item> <s:item>restart_splunkd</s:item> <s:item>rtsearch</s:item> <s:item>run_debug_commands</s:item> <s:item>schedule_rtsearch</s:item> <s:item>schedule_search</s:item> <s:item>search</s:item> <s:item>write_pdfserver</s:item> </s:list> </s:key> <s:key name="imported_roles"> <s:list> <s:item>admin</s:item> </s:list> </s:key> <s:key name="imported_rtSrchJobsQuota">100</s:key> <s:key name="imported_srchDiskQuota">10000</s:key> <s:key name="imported_srchFilter">*</s:key> <s:key name="imported_srchIndexesAllowed"> <s:list> <s:item>*</s:item> <s:item>_*</s:item> </s:list> </s:key> <s:key name="imported_srchIndexesDefault"> <s:list> <s:item>main</s:item> <s:item>os</s:item> </s:list> </s:key> <s:key name="imported_srchJobsQuota">50</s:key> <s:key name="imported_srchTimeWin">-1</s:key> <s:key name="rtSrchJobsQuota">6</s:key> <s:key name="srchDiskQuota">100</s:key> <s:key name="srchFilter"></s:key> <s:key name="srchIndexesAllowed"> <s:list/> </s:key> <s:key name="srchIndexesDefault"> <s:list/> </s:key> <s:key name="srchJobsQuota">3</s:key> <s:key name="srchTimeWin">-1</s:key> </s:dict> </content> </entry> <entry> <title>user</title> <id>https://localhost:8089/services/authorization/roles/user</id> <updated>2014-06-30T13:12:17-07:00</updated> <link href="/services/authorization/roles/user" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/authorization/roles/user" rel="list"/> <link href="/services/authorization/roles/user" rel="edit"/> <link href="/services/authorization/roles/user" rel="remove"/> <content type="text/xml"> <s:dict> <s:key name="capabilities"> <s:list> <s:item>accelerate_search</s:item> <s:item>change_own_password</s:item> <s:item>get_metadata</s:item> <s:item>get_typeahead</s:item> <s:item>input_file</s:item> <s:item>list_inputs</s:item> <s:item>output_file</s:item> <s:item>request_remote_tok</s:item> <s:item>rest_apps_view</s:item> <s:item>rest_properties_get</s:item> <s:item>rest_properties_set</s:item> <s:item>schedule_rtsearch</s:item> <s:item>search</s:item> </s:list> </s:key> <s:key name="cumulativeRTSrchJobsQuota">100</s:key> <s:key name="cumulativeSrchJobsQuota">50</s:key> <s:key name="defaultApp"></s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="imported_capabilities"> <s:list/> </s:key> <s:key name="imported_roles"> <s:list/> </s:key> <s:key name="imported_rtSrchJobsQuota">0</s:key> <s:key name="imported_srchDiskQuota">0</s:key> <s:key name="imported_srchFilter"></s:key> <s:key name="imported_srchIndexesAllowed"> <s:list/> </s:key> <s:key name="imported_srchIndexesDefault"> <s:list/> </s:key> <s:key name="imported_srchJobsQuota">0</s:key> <s:key name="imported_srchTimeWin">-1</s:key> <s:key name="rtSrchJobsQuota">6</s:key> <s:key name="srchDiskQuota">100</s:key> <s:key name="srchFilter"></s:key> <s:key name="srchIndexesAllowed"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="srchIndexesDefault"> <s:list> <s:item>main</s:item> </s:list> </s:key> <s:key name="srchJobsQuota">3</s:key> <s:key name="srchTimeWin">-1</s:key> </s:dict> </content> </entry>

</feed>


authorization/roles POST

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authorization/roles -d name=newrole1 -d imported_roles=user
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>roles</title> <id>https://localhost:8089/services/authorization/roles</id> <updated>2014-06-30T13:21:50-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <link href="/services/authorization/roles/_new" rel="create"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>newrole1</title> <id>https://localhost:8089/services/authorization/roles/newrole1</id> <updated>2014-06-30T13:21:50-07:00</updated> <link href="/services/authorization/roles/newrole1" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/authorization/roles/newrole1" rel="list"/> <link href="/services/authorization/roles/newrole1" rel="edit"/> <link href="/services/authorization/roles/newrole1" rel="remove"/> <content type="text/xml"> <s:dict> <s:key name="capabilities"> <s:list/> </s:key> <s:key name="cumulativeRTSrchJobsQuota">0</s:key> <s:key name="cumulativeSrchJobsQuota">0</s:key> <s:key name="defaultApp"></s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="imported_capabilities"> <s:list> <s:item>accelerate_search</s:item> <s:item>change_own_password</s:item> <s:item>get_metadata</s:item> <s:item>get_typeahead</s:item> <s:item>input_file</s:item> <s:item>list_inputs</s:item> <s:item>output_file</s:item> <s:item>request_remote_tok</s:item> <s:item>rest_apps_view</s:item> <s:item>rest_properties_get</s:item> <s:item>rest_properties_set</s:item> <s:item>schedule_rtsearch</s:item> <s:item>search</s:item> </s:list> </s:key> <s:key name="imported_roles"> <s:list> <s:item>user</s:item> </s:list> </s:key> <s:key name="imported_rtSrchJobsQuota">6</s:key> <s:key name="imported_srchDiskQuota">100</s:key> <s:key name="imported_srchFilter"></s:key> <s:key name="imported_srchIndexesAllowed"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="imported_srchIndexesDefault"> <s:list> <s:item>main</s:item> </s:list> </s:key> <s:key name="imported_srchJobsQuota">3</s:key> <s:key name="imported_srchTimeWin">-1</s:key> <s:key name="rtSrchJobsQuota">6</s:key> <s:key name="srchDiskQuota">100</s:key> <s:key name="srchFilter"></s:key> <s:key name="srchIndexesAllowed"> <s:list/> </s:key> <s:key name="srchIndexesDefault"> <s:list/> </s:key> <s:key name="srchJobsQuota">3</s:key> <s:key name="srchTimeWin">-1</s:key> </s:dict> </content> </entry>

</feed>


authorization/roles/{name} DELETE

XML
XML Request
curl -k -u admin:changeme --request DELETE https://localhost:8089/services/authorization/roles/newrole1
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>roles</title> <id>https://localhost:8089/services/authorization/roles</id> <updated>2014-06-30T13:39:39-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <link href="/services/authorization/roles/_new" rel="create"/> <opensearch:totalResults>5</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>admin</title> <id>https://localhost:8089/services/authorization/roles/admin</id> <updated>2014-06-30T13:39:39-07:00</updated> <link href="/services/authorization/roles/admin" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/authorization/roles/admin" rel="list"/> <link href="/services/authorization/roles/admin" rel="edit"/> <link href="/services/authorization/roles/admin" rel="remove"/> <content type="text/xml"> <s:dict> <s:key name="capabilities"> <s:list> <s:item>accelerate_datamodel</s:item> <s:item>admin_all_objects</s:item> <s:item>change_authentication</s:item> <s:item>edit_deployment_client</s:item> <s:item>edit_deployment_server</s:item> <s:item>edit_dist_peer</s:item> <s:item>edit_forwarders</s:item> <s:item>edit_httpauths</s:item> <s:item>edit_input_defaults</s:item> <s:item>edit_monitor</s:item> <s:item>edit_roles</s:item> <s:item>edit_scripted</s:item> <s:item>edit_search_server</s:item> <s:item>edit_server</s:item> <s:item>edit_splunktcp</s:item> <s:item>edit_splunktcp_ssl</s:item> <s:item>edit_tcp</s:item> <s:item>edit_udp</s:item> <s:item>edit_user</s:item> <s:item>edit_view_html</s:item> <s:item>edit_web_settings</s:item> <s:item>edit_win_admon</s:item> <s:item>edit_win_eventlogs</s:item> <s:item>edit_win_perfmon</s:item> <s:item>edit_win_regmon</s:item> <s:item>edit_win_wmiconf</s:item> <s:item>get_diag</s:item> <s:item>indexes_edit</s:item> <s:item>license_edit</s:item> <s:item>license_tab</s:item> <s:item>list_deployment_client</s:item> <s:item>list_deployment_server</s:item> <s:item>list_forwarders</s:item> <s:item>list_httpauths</s:item> <s:item>list_pdfserver</s:item> <s:item>list_win_localavailablelogs</s:item> <s:item>rest_apps_management</s:item> <s:item>restart_splunkd</s:item> <s:item>run_debug_commands</s:item> <s:item>write_pdfserver</s:item> </s:list> </s:key> <s:key name="cumulativeRTSrchJobsQuota">400</s:key> <s:key name="cumulativeSrchJobsQuota">200</s:key> <s:key name="defaultApp"></s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="imported_capabilities"> <s:list> <s:item>accelerate_search</s:item> <s:item>change_own_password</s:item> <s:item>embed_report</s:item> <s:item>get_metadata</s:item> <s:item>get_typeahead</s:item> <s:item>input_file</s:item> <s:item>list_inputs</s:item> <s:item>output_file</s:item> <s:item>request_remote_tok</s:item> <s:item>rest_apps_view</s:item> <s:item>rest_properties_get</s:item> <s:item>rest_properties_set</s:item> <s:item>rtsearch</s:item> <s:item>schedule_rtsearch</s:item> <s:item>schedule_search</s:item> <s:item>search</s:item> </s:list> </s:key> <s:key name="imported_roles"> <s:list> <s:item>power</s:item> <s:item>user</s:item> </s:list> </s:key> <s:key name="imported_rtSrchJobsQuota">20</s:key> <s:key name="imported_srchDiskQuota">500</s:key> <s:key name="imported_srchFilter"></s:key> <s:key name="imported_srchIndexesAllowed"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="imported_srchIndexesDefault"> <s:list> <s:item>main</s:item> </s:list> </s:key> <s:key name="imported_srchJobsQuota">10</s:key> <s:key name="imported_srchTimeWin">-1</s:key> <s:key name="rtSrchJobsQuota">100</s:key> <s:key name="srchDiskQuota">10000</s:key> <s:key name="srchFilter">*</s:key> <s:key name="srchIndexesAllowed"> <s:list> <s:item>*</s:item> <s:item>_*</s:item> </s:list> </s:key> <s:key name="srchIndexesDefault"> <s:list> <s:item>main</s:item> <s:item>os</s:item> </s:list> </s:key> <s:key name="srchJobsQuota">50</s:key> <s:key name="srchTimeWin">0</s:key> </s:dict> </content> </entry> <entry> <title>can_delete</title> <id>https://localhost:8089/services/authorization/roles/can_delete</id> <updated>2014-06-30T13:39:39-07:00</updated> <link href="/services/authorization/roles/can_delete" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/authorization/roles/can_delete" rel="list"/> <link href="/services/authorization/roles/can_delete" rel="edit"/> <link href="/services/authorization/roles/can_delete" rel="remove"/> <content type="text/xml"> <s:dict> <s:key name="capabilities"> <s:list> <s:item>delete_by_keyword</s:item> <s:item>schedule_rtsearch</s:item> </s:list> </s:key> <s:key name="cumulativeRTSrchJobsQuota">0</s:key> <s:key name="cumulativeSrchJobsQuota">0</s:key> <s:key name="defaultApp"></s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="imported_capabilities"> <s:list/> </s:key> <s:key name="imported_roles"> <s:list/> </s:key> <s:key name="imported_rtSrchJobsQuota">0</s:key> <s:key name="imported_srchDiskQuota">0</s:key> <s:key name="imported_srchFilter"></s:key> <s:key name="imported_srchIndexesAllowed"> <s:list/> </s:key> <s:key name="imported_srchIndexesDefault"> <s:list/> </s:key> <s:key name="imported_srchJobsQuota">0</s:key> <s:key name="imported_srchTimeWin">-1</s:key> <s:key name="rtSrchJobsQuota">6</s:key> <s:key name="srchDiskQuota">100</s:key> <s:key name="srchFilter"></s:key> <s:key name="srchIndexesAllowed"> <s:list/> </s:key> <s:key name="srchIndexesDefault"> <s:list/> </s:key> <s:key name="srchJobsQuota">3</s:key> <s:key name="srchTimeWin">-1</s:key> </s:dict> </content> </entry> <entry> <title>power</title> <id>https://localhost:8089/services/authorization/roles/power</id> <updated>2014-06-30T13:39:39-07:00</updated> <link href="/services/authorization/roles/power" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/authorization/roles/power" rel="list"/> <link href="/services/authorization/roles/power" rel="edit"/> <link href="/services/authorization/roles/power" rel="remove"/> <content type="text/xml"> <s:dict> <s:key name="capabilities"> <s:list> <s:item>embed_report</s:item> <s:item>rtsearch</s:item> <s:item>schedule_search</s:item> </s:list> </s:key> <s:key name="cumulativeRTSrchJobsQuota">200</s:key> <s:key name="cumulativeSrchJobsQuota">100</s:key> <s:key name="defaultApp"></s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="imported_capabilities"> <s:list> <s:item>accelerate_search</s:item> <s:item>change_own_password</s:item> <s:item>get_metadata</s:item> <s:item>get_typeahead</s:item> <s:item>input_file</s:item> <s:item>list_inputs</s:item> <s:item>output_file</s:item> <s:item>request_remote_tok</s:item> <s:item>rest_apps_view</s:item> <s:item>rest_properties_get</s:item> <s:item>rest_properties_set</s:item> <s:item>schedule_rtsearch</s:item> <s:item>search</s:item> </s:list> </s:key> <s:key name="imported_roles"> <s:list> <s:item>user</s:item> </s:list> </s:key> <s:key name="imported_rtSrchJobsQuota">6</s:key> <s:key name="imported_srchDiskQuota">100</s:key> <s:key name="imported_srchFilter"></s:key> <s:key name="imported_srchIndexesAllowed"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="imported_srchIndexesDefault"> <s:list> <s:item>main</s:item> </s:list> </s:key> <s:key name="imported_srchJobsQuota">3</s:key> <s:key name="imported_srchTimeWin">-1</s:key> <s:key name="rtSrchJobsQuota">20</s:key> <s:key name="srchDiskQuota">500</s:key> <s:key name="srchFilter"></s:key> <s:key name="srchIndexesAllowed"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="srchIndexesDefault"> <s:list> <s:item>main</s:item> </s:list> </s:key> <s:key name="srchJobsQuota">10</s:key> <s:key name="srchTimeWin">-1</s:key> </s:dict> </content> </entry> <entry> <title>splunk-system-role</title> <id>https://localhost:8089/services/authorization/roles/splunk-system-role</id> <updated>2014-06-30T13:39:39-07:00</updated> <link href="/services/authorization/roles/splunk-system-role" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/authorization/roles/splunk-system-role" rel="list"/> <link href="/services/authorization/roles/splunk-system-role" rel="edit"/> <link href="/services/authorization/roles/splunk-system-role" rel="remove"/> <content type="text/xml"> <s:dict> <s:key name="capabilities"> <s:list/> </s:key> <s:key name="cumulativeRTSrchJobsQuota">100</s:key> <s:key name="cumulativeSrchJobsQuota">50</s:key> <s:key name="defaultApp"></s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="imported_capabilities"> <s:list> <s:item>accelerate_datamodel</s:item> <s:item>accelerate_search</s:item> <s:item>admin_all_objects</s:item> <s:item>change_authentication</s:item> <s:item>change_own_password</s:item> <s:item>edit_deployment_client</s:item> <s:item>edit_deployment_server</s:item> <s:item>edit_dist_peer</s:item> <s:item>edit_forwarders</s:item> <s:item>edit_httpauths</s:item> <s:item>edit_input_defaults</s:item> <s:item>edit_monitor</s:item> <s:item>edit_roles</s:item> <s:item>edit_scripted</s:item> <s:item>edit_search_server</s:item> <s:item>edit_server</s:item> <s:item>edit_splunktcp</s:item> <s:item>edit_splunktcp_ssl</s:item> <s:item>edit_tcp</s:item> <s:item>edit_udp</s:item> <s:item>edit_user</s:item> <s:item>edit_view_html</s:item> <s:item>edit_web_settings</s:item> <s:item>edit_win_admon</s:item> <s:item>edit_win_eventlogs</s:item> <s:item>edit_win_perfmon</s:item> <s:item>edit_win_regmon</s:item> <s:item>edit_win_wmiconf</s:item> <s:item>embed_report</s:item> <s:item>get_diag</s:item> <s:item>get_metadata</s:item> <s:item>get_typeahead</s:item> <s:item>indexes_edit</s:item> <s:item>input_file</s:item> <s:item>license_edit</s:item> <s:item>license_tab</s:item> <s:item>list_deployment_client</s:item> <s:item>list_deployment_server</s:item> <s:item>list_forwarders</s:item> <s:item>list_httpauths</s:item> <s:item>list_inputs</s:item> <s:item>list_pdfserver</s:item> <s:item>list_win_localavailablelogs</s:item> <s:item>output_file</s:item> <s:item>request_remote_tok</s:item> <s:item>rest_apps_management</s:item> <s:item>rest_apps_view</s:item> <s:item>rest_properties_get</s:item> <s:item>rest_properties_set</s:item> <s:item>restart_splunkd</s:item> <s:item>rtsearch</s:item> <s:item>run_debug_commands</s:item> <s:item>schedule_rtsearch</s:item> <s:item>schedule_search</s:item> <s:item>search</s:item> <s:item>write_pdfserver</s:item> </s:list> </s:key> <s:key name="imported_roles"> <s:list> <s:item>admin</s:item> </s:list> </s:key> <s:key name="imported_rtSrchJobsQuota">100</s:key> <s:key name="imported_srchDiskQuota">10000</s:key> <s:key name="imported_srchFilter">*</s:key> <s:key name="imported_srchIndexesAllowed"> <s:list> <s:item>*</s:item> <s:item>_*</s:item> </s:list> </s:key> <s:key name="imported_srchIndexesDefault"> <s:list> <s:item>main</s:item> <s:item>os</s:item> </s:list> </s:key> <s:key name="imported_srchJobsQuota">50</s:key> <s:key name="imported_srchTimeWin">-1</s:key> <s:key name="rtSrchJobsQuota">6</s:key> <s:key name="srchDiskQuota">100</s:key> <s:key name="srchFilter"></s:key> <s:key name="srchIndexesAllowed"> <s:list/> </s:key> <s:key name="srchIndexesDefault"> <s:list/> </s:key> <s:key name="srchJobsQuota">3</s:key> <s:key name="srchTimeWin">-1</s:key> </s:dict> </content> </entry> <entry> <title>user</title> <id>https://localhost:8089/services/authorization/roles/user</id> <updated>2014-06-30T13:39:39-07:00</updated> <link href="/services/authorization/roles/user" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/authorization/roles/user" rel="list"/> <link href="/services/authorization/roles/user" rel="edit"/> <link href="/services/authorization/roles/user" rel="remove"/> <content type="text/xml"> <s:dict> <s:key name="capabilities"> <s:list> <s:item>accelerate_search</s:item> <s:item>change_own_password</s:item> <s:item>get_metadata</s:item> <s:item>get_typeahead</s:item> <s:item>input_file</s:item> <s:item>list_inputs</s:item> <s:item>output_file</s:item> <s:item>request_remote_tok</s:item> <s:item>rest_apps_view</s:item> <s:item>rest_properties_get</s:item> <s:item>rest_properties_set</s:item> <s:item>schedule_rtsearch</s:item> <s:item>search</s:item> </s:list> </s:key> <s:key name="cumulativeRTSrchJobsQuota">100</s:key> <s:key name="cumulativeSrchJobsQuota">50</s:key> <s:key name="defaultApp"></s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="imported_capabilities"> <s:list/> </s:key> <s:key name="imported_roles"> <s:list/> </s:key> <s:key name="imported_rtSrchJobsQuota">0</s:key> <s:key name="imported_srchDiskQuota">0</s:key> <s:key name="imported_srchFilter"></s:key> <s:key name="imported_srchIndexesAllowed"> <s:list/> </s:key> <s:key name="imported_srchIndexesDefault"> <s:list/> </s:key> <s:key name="imported_srchJobsQuota">0</s:key> <s:key name="imported_srchTimeWin">-1</s:key> <s:key name="rtSrchJobsQuota">6</s:key> <s:key name="srchDiskQuota">100</s:key> <s:key name="srchFilter"></s:key> <s:key name="srchIndexesAllowed"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="srchIndexesDefault"> <s:list> <s:item>main</s:item> </s:list> </s:key> <s:key name="srchJobsQuota">3</s:key> <s:key name="srchTimeWin">-1</s:key> </s:dict> </content> </entry>

</feed>


authorization/roles/{name} GET

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authorization/roles/newrole1
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>roles</title> <id>https://localhost:8089/services/authorization/roles</id> <updated>2014-06-30T13:30:34-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <link href="/services/authorization/roles/_new" rel="create"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>newrole1</title> <id>https://localhost:8089/services/authorization/roles/newrole1</id> <updated>2014-06-30T13:30:34-07:00</updated> <link href="/services/authorization/roles/newrole1" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/authorization/roles/newrole1" rel="list"/> <link href="/services/authorization/roles/newrole1" rel="edit"/> <link href="/services/authorization/roles/newrole1" rel="remove"/> <content type="text/xml"> <s:dict> <s:key name="capabilities"> <s:list/> </s:key> <s:key name="cumulativeRTSrchJobsQuota">0</s:key> <s:key name="cumulativeSrchJobsQuota">0</s:key> <s:key name="defaultApp"></s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="eai:attributes"> <s:dict> <s:key name="optionalFields"> <s:list> <s:item>capabilities</s:item> <s:item>cumulativeRTSrchJobsQuota</s:item> <s:item>cumulativeSrchJobsQuota</s:item> <s:item>defaultApp</s:item> <s:item>imported_roles</s:item> <s:item>rtSrchJobsQuota</s:item> <s:item>srchDiskQuota</s:item> <s:item>srchFilter</s:item> <s:item>srchIndexesAllowed</s:item> <s:item>srchIndexesDefault</s:item> <s:item>srchJobsQuota</s:item> <s:item>srchTimeWin</s:item> </s:list> </s:key> <s:key name="requiredFields"> <s:list/> </s:key> <s:key name="wildcardFields"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="imported_capabilities"> <s:list> <s:item>accelerate_search</s:item> <s:item>change_own_password</s:item> <s:item>get_metadata</s:item> <s:item>get_typeahead</s:item> <s:item>input_file</s:item> <s:item>list_inputs</s:item> <s:item>output_file</s:item> <s:item>request_remote_tok</s:item> <s:item>rest_apps_view</s:item> <s:item>rest_properties_get</s:item> <s:item>rest_properties_set</s:item> <s:item>schedule_rtsearch</s:item> <s:item>search</s:item> </s:list> </s:key> <s:key name="imported_roles"> <s:list> <s:item>user</s:item> </s:list> </s:key> <s:key name="imported_rtSrchJobsQuota">6</s:key> <s:key name="imported_srchDiskQuota">100</s:key> <s:key name="imported_srchFilter"></s:key> <s:key name="imported_srchIndexesAllowed"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="imported_srchIndexesDefault"> <s:list> <s:item>main</s:item> </s:list> </s:key> <s:key name="imported_srchJobsQuota">3</s:key> <s:key name="imported_srchTimeWin">-1</s:key> <s:key name="rtSrchJobsQuota">6</s:key> <s:key name="srchDiskQuota">100</s:key> <s:key name="srchFilter"></s:key> <s:key name="srchIndexesAllowed"> <s:list/> </s:key> <s:key name="srchIndexesDefault"> <s:list/> </s:key> <s:key name="srchJobsQuota">3</s:key> <s:key name="srchTimeWin">-1</s:key> </s:dict> </content> </entry>

</feed>


authorization/roles/{name} POST

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authorization/roles/newrole1 -d defaultApp=launcher
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>roles</title> <id>https://localhost:8089/services/authorization/roles</id> <updated>2014-06-30T13:33:38-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <link href="/services/authorization/roles/_new" rel="create"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>newrole1</title> <id>https://localhost:8089/services/authorization/roles/newrole1</id> <updated>2014-06-30T13:33:38-07:00</updated> <link href="/services/authorization/roles/newrole1" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/authorization/roles/newrole1" rel="list"/> <link href="/services/authorization/roles/newrole1" rel="edit"/> <link href="/services/authorization/roles/newrole1" rel="remove"/> <content type="text/xml"> <s:dict> <s:key name="capabilities"> <s:list/> </s:key> <s:key name="cumulativeRTSrchJobsQuota">0</s:key> <s:key name="cumulativeSrchJobsQuota">0</s:key> <s:key name="defaultApp">launcher</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="imported_capabilities"> <s:list> <s:item>accelerate_search</s:item> <s:item>change_own_password</s:item> <s:item>get_metadata</s:item> <s:item>get_typeahead</s:item> <s:item>input_file</s:item> <s:item>list_inputs</s:item> <s:item>output_file</s:item> <s:item>request_remote_tok</s:item> <s:item>rest_apps_view</s:item> <s:item>rest_properties_get</s:item> <s:item>rest_properties_set</s:item> <s:item>schedule_rtsearch</s:item> <s:item>search</s:item> </s:list> </s:key> <s:key name="imported_roles"> <s:list> <s:item>user</s:item> </s:list> </s:key> <s:key name="imported_rtSrchJobsQuota">6</s:key> <s:key name="imported_srchDiskQuota">100</s:key> <s:key name="imported_srchFilter"></s:key> <s:key name="imported_srchIndexesAllowed"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="imported_srchIndexesDefault"> <s:list> <s:item>main</s:item> </s:list> </s:key> <s:key name="imported_srchJobsQuota">3</s:key> <s:key name="imported_srchTimeWin">-1</s:key> <s:key name="rtSrchJobsQuota">6</s:key> <s:key name="srchDiskQuota">100</s:key> <s:key name="srchFilter"></s:key> <s:key name="srchIndexesAllowed"> <s:list/> </s:key> <s:key name="srchIndexesDefault"> <s:list/> </s:key> <s:key name="srchJobsQuota">3</s:key> <s:key name="srchTimeWin">-1</s:key> </s:dict> </content> </entry>

</feed>


storage/passwords GET

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/storage/passwords
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>passwords</title> <id>https://localhost:8089/services/storage/passwords</id> <updated>2014-06-30T13:43:06-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <link href="/services/storage/passwords/_new" rel="create"/> <link href="/services/storage/passwords/_reload" rel="_reload"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>:testuser:</title> <id>https://localhost:8089/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A</id> <updated>2014-06-30T13:43:06-07:00</updated> <link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A" rel="alternate"/> <author> <name>admin</name> </author> <link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A" rel="list"/> <link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A/_reload" rel="_reload"/> <link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A" rel="edit"/> <link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A" rel="remove"/> <content type="text/xml"> <s:dict> <s:key name="clear_password">newpwd</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">search</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">admin</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>admin</s:item> <s:item>power</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">1</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="encr_password">$1$prTUy3vRWg==</s:key> <s:key name="password">********</s:key> <s:key name="realm"></s:key> <s:key name="username">testuser</s:key> </s:dict> </content> </entry>

</feed>


storage/passwords POST

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/passwords -d name=user1 -d password=changeme2
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>passwords</title> <id>https://localhost:8089/services/storage/passwords</id> <updated>2014-06-30T13:51:44-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <link href="/services/storage/passwords/_new" rel="create"/> <link href="/services/storage/passwords/_reload" rel="_reload"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>:user1:</title> <id>https://localhost:8089/servicesNS/nobody/search/storage/passwords/%3Auser1%3A</id> <updated>2014-06-30T13:51:44-07:00</updated> <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="alternate"/> <author> <name>admin</name> </author> <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="list"/> <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A/_reload" rel="_reload"/> <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="edit"/> <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="remove"/> <content type="text/xml"> <s:dict> <s:key name="clear_password">changeme2</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">search</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">admin</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>admin</s:item> <s:item>power</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">1</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="encr_password">$1$q7nC1WvQY/pGcQ==</s:key> <s:key name="password">********</s:key> <s:key name="realm"></s:key> <s:key name="username">user1</s:key> </s:dict> </content> </entry>

</feed>


storage/passwords/{name} DELETE

XML
XML Request
curl -k -u admin:changeme --request DELETE https://localhost:8089/servicesNS/nobody/search/storage/passwords/:user1:
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>passwords</title> <id>https://localhost:8089/services/storage/passwords</id> <updated>2014-06-30T14:21:11-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <link href="/services/storage/passwords/_new" rel="create"/> <link href="/services/storage/passwords/_reload" rel="_reload"/> <opensearch:totalResults>0</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/>

</feed>


storage/passwords/{name} GET

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/passwords/user1
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>passwords</title> <id>https://localhost:8089/services/storage/passwords</id> <updated>2014-06-30T14:06:04-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <link href="/services/storage/passwords/_new" rel="create"/> <link href="/services/storage/passwords/_reload" rel="_reload"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>:user1:</title> <id>https://localhost:8089/servicesNS/nobody/search/storage/passwords/%3Auser1%3A</id> <updated>2014-06-30T14:06:04-07:00</updated> <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="alternate"/> <author> <name>admin</name> </author> <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="list"/> <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A/_reload" rel="_reload"/> <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="edit"/> <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="remove"/> <content type="text/xml"> <s:dict> <s:key name="clear_password">changeme2</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">search</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">admin</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>admin</s:item> <s:item>power</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">1</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="eai:attributes"> <s:dict> <s:key name="optionalFields"> <s:list/> </s:key> <s:key name="requiredFields"> <s:list> <s:item>password</s:item> </s:list> </s:key> <s:key name="wildcardFields"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="encr_password">$1$q7nC1WvQY/pGcQ==</s:key> <s:key name="password">********</s:key> <s:key name="realm"></s:key> <s:key name="username">user1</s:key> </s:dict> </content> </entry>

</feed>


storage/passwords/{name} POST

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/passwords/splunker -d password=changemeAgain
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>passwords</title> <id>https://localhost:8089/services/storage/passwords</id> <updated>2014-06-30T14:13:57-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <link href="/services/storage/passwords/_new" rel="create"/> <link href="/services/storage/passwords/_reload" rel="_reload"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>:user1:</title> <id>https://localhost:8089/servicesNS/nobody/search/storage/passwords/%3Auser1%3A</id> <updated>2014-06-30T14:13:57-07:00</updated> <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="alternate"/> <author> <name>admin</name> </author> <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="list"/> <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A/_reload" rel="_reload"/> <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="edit"/> <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="remove"/> <content type="text/xml"> <s:dict> <s:key name="clear_password">changemeAgain</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">search</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">admin</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>admin</s:item> <s:item>power</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">1</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="encr_password">$1$q7nC1WvQY/p0UtMdIVM=</s:key> <s:key name="password">********</s:key> <s:key name="realm"></s:key> <s:key name="username">user1</s:key> </s:dict> </content> </entry>

</feed>

Application endpoints

Application endpoint descriptions

Manage applications.




apps/appinstall


https://<host>:<port>/services/apps/appinstall

Authentication: Not required

Description

Install application.

Method summary
Method Description Formats
POST Install or update an application from a local file or URL. XML, JSON

POST apps/appinstall method detail

Example

Request parameters
Name Type Default Description
name
required
String Full Unix or Windows path of the .tgz or .spl app source file. The path can be on the local disk or a URL.
update Boolean Update existing app indication:
true = update existing app, overwriting the existing app folder.
false = [Default] install new app.
Response data keys
Name Description
location Installed location ($SPLUNK_HOME/etc/apps/<appname>).
name App name.
source_location App source file location, the path name request parameter.
status Install status:
installed = Successfully installed.
Application usage

Expect some response delay while app is installed.

[ Top ]



apps/apptemplates


https://<host>:<port>/services/apps/apptemplates

Authentication: Not required

Description

List installed app templates.

See also
Method summary
Method Description Formats
GET List installed app templates. XML, JSON

GET apps/apptemplates method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys

None

Each <entry> element includes a <link> reference to an app template. The barebones and sample_app templates are installed by default.

Application usage

Use the app template as the /services/apps/local endpoint template POST parameter.

[ Top ]



apps/apptemplates/{name}


https://<host>:<port>/services/apps/apptemplates/{name}

Authentication: Not required

Description

Get the {name} app template descriptor.

See also

apps/apptemplates

Method summary
Method Description Formats
GET Get the {name} app template descriptor. XML, JSON

GET apps/apptemplates/{name} method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys

None

[ Top ]



apps/local


https://<host>:<port>/services/apps/local

Authentication: Not required

Description

Create an app or list installed apps and properties.

Method summary
Method Description Formats
GET List installed apps and properties. XML, JSON
POST Create an app. XML, JSON

GET apps/local method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
author App author with optional contact info. For apps deployed on Splunkbase, the Splunkbase account username.
check_for_updates Check for updates indication:
true = Check Splunkbase for app updates.
false = Do not check Splunkbase for app updates.
configured Custom setup complete indication:
true = Custom app setup complete.
false = Custom app setup not complete.
description Short app description also displayed below the app title in Splunk Web and Launcher.
details Splunk Enterprise Apps URL for detailed information about the app.
disabled App state indication:
true = App is disabled.
false = App is enabled.
label App name also displayed in Splunk Web and Launcher.
state_change_requires_restart Restart required on state change indication:
true = App state change requires restart.
false = App state change might not require restart, depending on other restart requirements.
version App version.
visible App is visible and navigable from Splunk Web indication:
true = App is visible and navigable.
false = App is not visible and navigable.
Application usage

Splunkbase can correlate locally-installed apps with the same app on Splunkbase for update notifications.


POST apps/local method detail

Example

Request parameters
Name Type Default Description
auth String Splunkbase session token for operations like install and update that require login. Use auth or session when installing or updating an app through Splunkbase.
author String For apps posted to Splunkbase, your Splunk Enterprise account username. For internal apps, your full name and contact information.
configured Boolean Custom setup complete indication:
true = Custom app setup complete.
false = Custom app setup not complete.
description String Short app description also displayed below the app title in Splunk Web Launcher.
explicit_appname String Custom app name. When installing an app from a file, where filename is true, overrides name.
filename Boolean App source location:
true = name is a path to a file to install.
false = name is the literal app name and the app is created from Splunkbase using a template.
label String App name displayed in Splunk Web, from five to 80 characters and excluding the prefix "Splunk For".
name
required
String Literal app name or path to the file to install, depending on the value of filename:
filename = false: literal app name and the app is created from Splunkbase using a template.
filename = true: URL or path to local .tar, .tgz or .spl file. If name is the Splunkbase URL, set auth or session to authenticate the request.
session String Login session token for installing or updating an app on Splunkbase. Alternatively, use auth.
template Enum App template to use when creating the app"
barebones - [Default] Basic app framework.
sample_app - Example views and searches.
Any custom app template.
update Boolean File-based update indication:
true = Can use filename to update an existing app.
false = [Default] Cannot use filename to update an existing app.
version String App version.
visible Boolean App is visible and navigable from Splunk Web indication:
true = App is visible and navigable.
false = App is not visible and navigable.
Response data keys
Name Description
author For apps posted to Splunkbase, your Splunk Enterprise account username. For internal apps, your full name and contact information.
check_for_updates Check for updates indication:
true = Check Splunkbase for app updates.
false = Do not check Splunkbase for app updates.
configured Custom setup complete indication:
true = Custom app setup complete.
false = Custom app setup not complete.
description Short app description also displayed below the app title in Splunk Web Launcher.
disabled App state indication:
true = App is disabled.
false = App is enabled.
label App name displayed in Splunk Web, from five to 80 characters and excluding the prefix "Splunk For".
name Installed app name, which might differ from the POST name parameter.
state_change_requires_restart Restart required on state change indication:
true = App state change requires restart.
false = App state change might not require restart, depending on other restart requirements.
version App version.
visible App is visible and navigable from Splunk Web indication:
true = App is visible and navigable.
false = App is not visible and navigable.
Application usage

[ Top ]



apps/local/{name}


https://<host>:<port>/services/apps/local/{name}

Authentication: Not required

Description

Manage {name} app.

See also

"Uninstall an app"

Method summary
Method Description Formats
DELETE Delete the {name} app. XML, JSON
GET List information about the {name} app. XML, JSON
POST Update the {name} app properties. XML, JSON

DELETE apps/local/{name} method detail

Example

Request parameters

None

Response data keys

None

A message is displayed that might indicate a restart is required.

Application usage



GET apps/local/{name} method detail

Example

Request parameters
Name Type Default Description
refresh Boolean Reload any objects associated with the {name} app indication:
true = Reload objects.
false = Do not reload objects.
Response data keys
Name Description
author For apps posted to Splunkbase, your Splunk Enterprise account username. For internal apps, your full name and contact information.
check_for_updates Check for updates indication:
true = Check Splunkbase for app updates.
false = Do not check Splunkbase for app updates.
configured Custom setup complete indication:
true = Custom app setup complete.
false = Custom app setup not complete.
description Short app description also displayed below the app title in Splunk Web Launcher.
disabled App state indication:
true = App is disabled.
false = App is enabled.
label App name displayed in Splunk Web, from five to 80 characters and excluding the prefix "Splunk For".
state_change_requires_restart Restart required on state change indication:
true = App state change requires restart.
false = App state change might not require restart, depending on other restart requirements.
version App version.
visible App is visible and navigable from Splunk Web indication:
true = App is visible and navigable.
false = App is not visible and navigable.

POST apps/local/{name} method detail

Example

Request parameters
Name Type Default Description
author String For apps posted to Splunkbase, your Splunk Enterprise account username. For internal apps, your full name and contact information.
check_for_updates Boolean Check for updates indication:
true = Check Splunkbase for app updates.
false = Do not check Splunkbase for app updates.
configured Boolean Custom setup complete indication:
true = Custom app setup complete.
false = Custom app setup not complete.
description String Short app description also displayed below the app title in Splunk Web Launcher.
label String App name displayed in Splunk Web, from five to 80 characters and excluding the prefix "Splunk For".
version String App version.
visible Boolean App is visible and navigable from Splunk Web indication:
true = App is visible and navigable.
false = App is not visible and navigable.
Response data keys
Name Description
author For apps posted to Splunkbase, your Splunk Enterprise account username. For internal apps, your full name and contact information.
check_for_updates Check for updates indication:
true = Check Splunkbase for app updates.
false = Do not check Splunkbase for app updates.
configured Custom setup complete indication:
true = Custom app setup complete.
false = Custom app setup not complete.
description Short app description also displayed below the app title in Splunk Web Launcher.
disabled App state indication:
true = App is disabled.
false = App is enabled.
label App name displayed in Splunk Web, from five to 80 characters and excluding the prefix "Splunk For".
state_change_requires_restart Restart required on state change indication:
true = App state change requires restart.
false = App state change might not require restart, depending on other restart requirements.
version App version.
visible App is visible and navigable from Splunk Web indication:
true = App is visible and navigable.
false = App is not visible and navigable.
Application usage

[ Top ]



apps/local/{name}/package


https://<host>:<port>/services/apps/local/{name}/package

Authentication: Required

Description

Archive the {name} app as a .spl file in the $SPLUNK_HOME/etc/system/static/app-packages directory.

Method summary
Method Description Formats
GET Archive the {name}.spl app. XML, JSON

GET apps/local/{name}/package method detail

Example

Request parameters

None

Response data keys
Name Description
name App name and name of the folder containing the app.
path Local path to an archive of the app.
url App download URL.
Application usage

Download the archived app using the following URL:


https://host:<port>/static/app-packages/{name}.spl

[ Top ]



apps/local/{name}/setup


https://<host>:<port>/services/apps/local/{name}/setup

Authentication: Not required

Description

Get the {name} app setup information.

See also

Configure a setup screen

Method summary
Method Description Formats
GET Get setup information for the {name} app. XML, JSON

GET apps/local/{name}/setup method detail

Example

Request parameters

None

Response data keys
Name Description
<script location> TBD
eai:setup CDATA setup script location.
Application usage

Some apps contain setup scripts that must be run before the app is enabled. For those apps, the setup.xml file must exist in the $SPLUNK_BASE\etc\apps\<appname>\default directory.

[ Top ]



apps/local/{name}/update


https://<host>:<port>/services/apps/local/{name}/update

Authentication: Not required

Description

Get update information for the {name} app.

Method summary
Method Description Formats
GET Get {name} app eai:acl information. XML, JSON

GET apps/local/{name}/update method detail

Example

Request parameters

None

Response data keys

The eai:acl key of the {name} app.

[ Top ]



Application endpoint examples

apps/appinstall POST

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/apps/appinstall/ -d name=c:/tmp/splunk-dashboard-examples_50.tgz
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title></title>
 <id>https://localhost:8089/services/apps/appinstall</id>
 <updated>2014-07-01T09:44:41-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/apps/appinstall/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>dashboard_examples</title>
   <id>https://localhost:8089/services/apps/appinstall/dashboard_examples</id>
   <updated>2014-07-01T09:44:41-07:00</updated>
   <link href="/services/apps/appinstall/dashboard_examples" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/apps/appinstall/dashboard_examples" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="location">C:\Program Files\Splunk\etc\apps\dashboard_examples</s:key>
       <s:key name="name">dashboard_examples</s:key>
       <s:key name="source_location">c:/tmp/splunk-dashboard-examples_50.tgz</s:key>
       <s:key name="status">installed</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


apps/apptemplates GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/apps/apptemplates
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title></title>
 <id>https://localhost:8089/services/apps/apptemplates</id>
 <updated>2014-07-01T09:50:36-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>2</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>barebones</title>
   <id>https://localhost:8089/services/apps/apptemplates/barebones</id>
   <updated>2014-07-01T09:50:36-07:00</updated>
   <link href="/services/apps/apptemplates/barebones" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/apps/apptemplates/barebones" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="lol">wut</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>sample_app</title>
   <id>https://localhost:8089/services/apps/apptemplates/sample_app</id>
   <updated>2014-07-01T09:50:36-07:00</updated>
   <link href="/services/apps/apptemplates/sample_app" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/apps/apptemplates/sample_app" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="lol">wut</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


apps/apptemplates/{name} GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/apps/apptemplates/sample_app
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title></title>
 <id>https://localhost:8089/services/apps/apptemplates</id>
 <updated>2014-07-01T09:54:23-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>sample_app</title>
   <id>https://localhost:8089/services/apps/apptemplates/sample_app</id>
   <updated>2014-07-01T09:54:23-07:00</updated>
   <link href="/services/apps/apptemplates/sample_app" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/apps/apptemplates/sample_app" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="lol">wut</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


apps/local GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/apps/local
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>localapps</title> <id>https://localhost:8089/services/apps/local</id> <updated>2014-07-01T09:58:57-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <link href="/services/apps/local/_new" rel="create"/> <link href="/services/apps/local/_reload" rel="_reload"/> <opensearch:totalResults>13</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>cupcake_demo</title> <id>https://localhost:8089/servicesNS/nobody/system/apps/local/cupcake_demo</id> <updated>2014-07-01T09:58:57-07:00</updated> <link href="/servicesNS/nobody/system/apps/local/cupcake_demo" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/system/apps/local/cupcake_demo" rel="list"/> <link href="/servicesNS/nobody/system/apps/local/cupcake_demo/_reload" rel="_reload"/> <link href="/servicesNS/nobody/system/apps/local/cupcake_demo" rel="edit"/> <link href="/servicesNS/nobody/system/apps/local/cupcake_demo" rel="remove"/> <link href="/servicesNS/nobody/system/apps/local/cupcake_demo/enable" rel="enable"/> <link href="/servicesNS/nobody/system/apps/local/cupcake_demo/package" rel="package"/> <content type="text/xml"> <s:dict> <s:key name="author">Splunk PM</s:key> <s:key name="check_for_updates">1</s:key> <s:key name="configured">1</s:key> <s:key name="description">This app provides a walk-through of the key features for Cupcake.</s:key> <s:key name="details">https://splunkbase.splunk.com/apps/id/cupcake_demo</s:key> <s:key name="disabled">1</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">system</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>admin</s:item> <s:item>power</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="label">Cupcake Release</s:key> <s:key name="state_change_requires_restart">0</s:key> <s:key name="version">1.0</s:key> <s:key name="visible">1</s:key> </s:dict> </content> </entry> <entry> <title>dashboard_examples</title> <id>https://localhost:8089/servicesNS/nobody/system/apps/local/dashboard_examples</id> <updated>2014-07-01T09:58:57-07:00</updated> <link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="list"/> <link href="/servicesNS/nobody/system/apps/local/dashboard_examples/_reload" rel="_reload"/> <link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="edit"/> <link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="remove"/> <link href="/servicesNS/nobody/system/apps/local/dashboard_examples/disable" rel="disable"/> <link href="/servicesNS/nobody/system/apps/local/dashboard_examples/package" rel="package"/> <content type="text/xml"> <s:dict> <s:key name="author">Splunk, Inc.</s:key> <s:key name="check_for_updates">1</s:key> <s:key name="configured">0</s:key> <s:key name="description"><![CDATA[Example dashboards, forms, and views for Splunk 5+. This is the succesor app to UI Examples 4.1+. Splunk Dashboard Examples contains over 50 examples updated for Splunk 5. Each example contains inline documenation to help get you started building Splunk dashboards.]]></s:key> <s:key name="details">https://splunkbase.splunk.com/apps/id/dashboard_examples</s:key> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">system</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="label">Splunk Dashboard Examples</s:key> <s:key name="state_change_requires_restart">0</s:key> <s:key name="version">5.0</s:key> <s:key name="visible">1</s:key> </s:dict> </content> </entry> <entry> <title>framework</title> <id>https://localhost:8089/servicesNS/nobody/system/apps/local/framework</id> <updated>2014-07-01T09:58:57-07:00</updated> <link href="/servicesNS/nobody/system/apps/local/framework" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/system/apps/local/framework" rel="list"/> <link href="/servicesNS/nobody/system/apps/local/framework/_reload" rel="_reload"/> <link href="/servicesNS/nobody/system/apps/local/framework" rel="edit"/> <link href="/servicesNS/nobody/system/apps/local/framework" rel="remove"/> <link href="/servicesNS/nobody/system/apps/local/framework/disable" rel="disable"/> <link href="/servicesNS/nobody/system/apps/local/framework/package" rel="package"/> <content type="text/xml"> <s:dict> <s:key name="check_for_updates">1</s:key> <s:key name="configured">0</s:key> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">system</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="label">framework</s:key> <s:key name="state_change_requires_restart">0</s:key> <s:key name="visible">0</s:key> </s:dict> </content> </entry> <entry> <title>gettingstarted</title> <id>https://localhost:8089/servicesNS/nobody/system/apps/local/gettingstarted</id> <updated>2014-07-01T09:58:57-07:00</updated> <link href="/servicesNS/nobody/system/apps/local/gettingstarted" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/system/apps/local/gettingstarted" rel="list"/> <link href="/servicesNS/nobody/system/apps/local/gettingstarted/_reload" rel="_reload"/> <link href="/servicesNS/nobody/system/apps/local/gettingstarted" rel="edit"/> <link href="/servicesNS/nobody/system/apps/local/gettingstarted" rel="remove"/> <link href="/servicesNS/nobody/system/apps/local/gettingstarted/enable" rel="enable"/> <link href="/servicesNS/nobody/system/apps/local/gettingstarted/package" rel="package"/> <content type="text/xml"> <s:dict> <s:key name="author">Splunk</s:key> <s:key name="check_for_updates">1</s:key> <s:key name="configured">1</s:key> <s:key name="description">Get started with Splunk. This app introduces you to many of Splunk's features. You'll learn how to use Splunk to index data, search and investigate, add knowledge, monitor and alert, report and analyze.</s:key> <s:key name="disabled">1</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">system</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>power</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="label">Getting started</s:key> <s:key name="state_change_requires_restart">0</s:key> <s:key name="version">1.0</s:key> <s:key name="visible">1</s:key> </s:dict> </content> </entry> <entry> <title>introspection_generator_addon</title> <id>https://localhost:8089/servicesNS/nobody/system/apps/local/introspection_generator_addon</id> <updated>2014-07-01T09:58:57-07:00</updated> <link href="/servicesNS/nobody/system/apps/local/introspection_generator_addon" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/system/apps/local/introspection_generator_addon" rel="list"/> <link href="/servicesNS/nobody/system/apps/local/introspection_generator_addon/_reload" rel="_reload"/> <link href="/servicesNS/nobody/system/apps/local/introspection_generator_addon" rel="edit"/> <link href="/servicesNS/nobody/system/apps/local/introspection_generator_addon" rel="remove"/> <link href="/servicesNS/nobody/system/apps/local/introspection_generator_addon/disable" rel="disable"/> <link href="/servicesNS/nobody/system/apps/local/introspection_generator_addon/package" rel="package"/> <content type="text/xml"> <s:dict> <s:key name="author">Splunk</s:key> <s:key name="check_for_updates">1</s:key> <s:key name="configured">1</s:key> <s:key name="description">Affords and supports the Platform Instrumentation initiative.</s:key> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">system</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="label">introspection_generator_addon</s:key> <s:key name="state_change_requires_restart">0</s:key> <s:key name="version">6.1</s:key> <s:key name="visible">0</s:key> </s:dict> </content> </entry> <entry> <title>launcher</title> <id>https://localhost:8089/servicesNS/nobody/system/apps/local/launcher</id> <updated>2014-07-01T09:58:57-07:00</updated> <link href="/servicesNS/nobody/system/apps/local/launcher" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/system/apps/local/launcher" rel="list"/> <link href="/servicesNS/nobody/system/apps/local/launcher/_reload" rel="_reload"/> <link href="/servicesNS/nobody/system/apps/local/launcher" rel="edit"/> <link href="/servicesNS/nobody/system/apps/local/launcher/package" rel="package"/> <content type="text/xml"> <s:dict> <s:key name="check_for_updates">1</s:key> <s:key name="configured">1</s:key> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">system</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>power</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="label">Home</s:key> <s:key name="state_change_requires_restart">0</s:key> <s:key name="visible">1</s:key> </s:dict> </content> </entry> <entry> <title>learned</title> <id>https://localhost:8089/servicesNS/nobody/system/apps/local/learned</id> <updated>2014-07-01T09:58:57-07:00</updated> <link href="/servicesNS/nobody/system/apps/local/learned" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/system/apps/local/learned" rel="list"/> <link href="/servicesNS/nobody/system/apps/local/learned/_reload" rel="_reload"/> <link href="/servicesNS/nobody/system/apps/local/learned" rel="edit"/> <link href="/servicesNS/nobody/system/apps/local/learned" rel="remove"/> <link href="/servicesNS/nobody/system/apps/local/learned/disable" rel="disable"/> <link href="/servicesNS/nobody/system/apps/local/learned/package" rel="package"/> <content type="text/xml"> <s:dict> <s:key name="check_for_updates">1</s:key> <s:key name="configured">0</s:key> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">system</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="label">learned</s:key> <s:key name="state_change_requires_restart">0</s:key> <s:key name="visible">0</s:key> </s:dict> </content> </entry> <entry> <title>legacy</title> <id>https://localhost:8089/servicesNS/nobody/system/apps/local/legacy</id> <updated>2014-07-01T09:58:57-07:00</updated> <link href="/servicesNS/nobody/system/apps/local/legacy" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/system/apps/local/legacy" rel="list"/> <link href="/servicesNS/nobody/system/apps/local/legacy/_reload" rel="_reload"/> <link href="/servicesNS/nobody/system/apps/local/legacy" rel="edit"/> <link href="/servicesNS/nobody/system/apps/local/legacy" rel="remove"/> <link href="/servicesNS/nobody/system/apps/local/legacy/enable" rel="enable"/> <link href="/servicesNS/nobody/system/apps/local/legacy/package" rel="package"/> <content type="text/xml"> <s:dict> <s:key name="check_for_updates">1</s:key> <s:key name="configured">0</s:key> <s:key name="disabled">1</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">system</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="label">legacy</s:key> <s:key name="state_change_requires_restart">0</s:key> <s:key name="visible">0</s:key> </s:dict> </content> </entry> <entry> <title>sample_app</title> <id>https://localhost:8089/servicesNS/nobody/system/apps/local/sample_app</id> <updated>2014-07-01T09:58:57-07:00</updated> <link href="/servicesNS/nobody/system/apps/local/sample_app" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/system/apps/local/sample_app" rel="list"/> <link href="/servicesNS/nobody/system/apps/local/sample_app/_reload" rel="_reload"/> <link href="/servicesNS/nobody/system/apps/local/sample_app" rel="edit"/> <link href="/servicesNS/nobody/system/apps/local/sample_app" rel="remove"/> <link href="/servicesNS/nobody/system/apps/local/sample_app/enable" rel="enable"/> <link href="/servicesNS/nobody/system/apps/local/sample_app/package" rel="package"/> <content type="text/xml"> <s:dict> <s:key name="check_for_updates">1</s:key> <s:key name="configured">0</s:key> <s:key name="disabled">1</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">system</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="label">sample data</s:key> <s:key name="state_change_requires_restart">0</s:key> <s:key name="visible">0</s:key> </s:dict> </content> </entry> <entry> <title>search</title> <id>https://localhost:8089/servicesNS/nobody/system/apps/local/search</id> <updated>2014-07-01T09:58:57-07:00</updated> <link href="/servicesNS/nobody/system/apps/local/search" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/system/apps/local/search" rel="list"/> <link href="/servicesNS/nobody/system/apps/local/search/_reload" rel="_reload"/> <link href="/servicesNS/nobody/system/apps/local/search" rel="edit"/> <link href="/servicesNS/nobody/system/apps/local/search/package" rel="package"/> <content type="text/xml"> <s:dict> <s:key name="author">Splunk</s:key> <s:key name="check_for_updates">1</s:key> <s:key name="configured">1</s:key> <s:key name="description"><![CDATA[The Search app is Splunk's default interface for searching and analyzing IT data. It allows you to index data into Splunk, add knowledge, build reports, and create alerts. The Search app can be used across many areas of IT including application management, operations management, security, and compliance.]]></s:key> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">system</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>admin</s:item> <s:item>power</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="label">Search & Reporting</s:key> <s:key name="state_change_requires_restart">0</s:key> <s:key name="version">6.1</s:key> <s:key name="visible">1</s:key> </s:dict> </content> </entry> <entry> <title>splunk_datapreview</title> <id>https://localhost:8089/servicesNS/nobody/system/apps/local/splunk_datapreview</id> <updated>2014-07-01T09:58:57-07:00</updated> <link href="/servicesNS/nobody/system/apps/local/splunk_datapreview" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/system/apps/local/splunk_datapreview" rel="list"/> <link href="/servicesNS/nobody/system/apps/local/splunk_datapreview/_reload" rel="_reload"/> <link href="/servicesNS/nobody/system/apps/local/splunk_datapreview" rel="edit"/> <link href="/servicesNS/nobody/system/apps/local/splunk_datapreview/package" rel="package"/> <content type="text/xml"> <s:dict> <s:key name="author">Splunk, Inc.</s:key> <s:key name="check_for_updates">1</s:key> <s:key name="configured">1</s:key> <s:key name="description">Provides interactive timestamping and event breaking facilities for data inputs.</s:key> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">system</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="label">Splunk Data Preview</s:key> <s:key name="state_change_requires_restart">0</s:key> <s:key name="version">0.1</s:key> <s:key name="visible">0</s:key> </s:dict> </content> </entry> <entry> <title>SplunkForwarder</title> <id>https://localhost:8089/servicesNS/nobody/system/apps/local/SplunkForwarder</id> <updated>2014-07-01T09:58:57-07:00</updated> <link href="/servicesNS/nobody/system/apps/local/SplunkForwarder" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/system/apps/local/SplunkForwarder" rel="list"/> <link href="/servicesNS/nobody/system/apps/local/SplunkForwarder/_reload" rel="_reload"/> <link href="/servicesNS/nobody/system/apps/local/SplunkForwarder" rel="edit"/> <link href="/servicesNS/nobody/system/apps/local/SplunkForwarder" rel="remove"/> <link href="/servicesNS/nobody/system/apps/local/SplunkForwarder/enable" rel="enable"/> <link href="/servicesNS/nobody/system/apps/local/SplunkForwarder/package" rel="package"/> <content type="text/xml"> <s:dict> <s:key name="check_for_updates">1</s:key> <s:key name="configured">0</s:key> <s:key name="disabled">1</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">system</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>power</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="label">SplunkForwarder</s:key> <s:key name="state_change_requires_restart">0</s:key> <s:key name="visible">0</s:key> </s:dict> </content> </entry> <entry> <title>SplunkLightForwarder</title> <id>https://localhost:8089/servicesNS/nobody/system/apps/local/SplunkLightForwarder</id> <updated>2014-07-01T09:58:57-07:00</updated> <link href="/servicesNS/nobody/system/apps/local/SplunkLightForwarder" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/system/apps/local/SplunkLightForwarder" rel="list"/> <link href="/servicesNS/nobody/system/apps/local/SplunkLightForwarder/_reload" rel="_reload"/> <link href="/servicesNS/nobody/system/apps/local/SplunkLightForwarder" rel="edit"/> <link href="/servicesNS/nobody/system/apps/local/SplunkLightForwarder" rel="remove"/> <link href="/servicesNS/nobody/system/apps/local/SplunkLightForwarder/enable" rel="enable"/> <link href="/servicesNS/nobody/system/apps/local/SplunkLightForwarder/package" rel="package"/> <content type="text/xml"> <s:dict> <s:key name="check_for_updates">1</s:key> <s:key name="configured">0</s:key> <s:key name="disabled">1</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">system</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>power</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="label">SplunkLightForwarder</s:key> <s:key name="state_change_requires_restart">0</s:key> <s:key name="visible">0</s:key> </s:dict> </content> </entry>

</feed>


apps/local POST

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/local -d name=restDemo
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title></title> <id>https://localhost:8089/services/apps/local</id> <updated>2014-07-01T10:09:37-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <link href="/services/apps/local/_new" rel="create"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>restDemo</title> <id>https://localhost:8089/servicesNS/nobody/system/apps/local/restDemo</id> <updated>2014-07-01T10:09:37-07:00</updated> <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="list"/> <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="edit"/> <link href="/servicesNS/nobody/system/apps/local/restDemo/package" rel="package"/> <content type="text/xml"> <s:dict> <s:key name="author"></s:key> <s:key name="check_for_updates">1</s:key> <s:key name="configured">0</s:key> <s:key name="description"></s:key> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">system</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>admin</s:item> <s:item>power</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="label">restDemo</s:key> <s:key name="name">restDemo</s:key> <s:key name="state_change_requires_restart">0</s:key> <s:key name="version">1.0</s:key> <s:key name="visible">1</s:key> </s:dict> </content> </entry>

</feed>


apps/local/{name} DELETE

XML
XML Request
curl -k -u admin:changeme --request DELETE https://localhost:8089/services/apps/local/sample_app
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>localapps</title> <id>https://localhost:8089/services/apps/local</id> <updated>2014-07-15T10:24:35-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <link href="/services/apps/local/_new" rel="create"/> <link href="/services/apps/local/_reload" rel="_reload"/> <opensearch:totalResults>0</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages> <s:msg type="INFO">Restart required by: indexes</s:msg> </s:messages>

</feed>


apps/local/{name} GET

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/local/dashboard_examples
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>localapps</title> <id>https://localhost:8089/services/apps/local</id> <updated>2014-07-01T10:23:46-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <link href="/services/apps/local/_new" rel="create"/> <link href="/services/apps/local/_reload" rel="_reload"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>dashboard_examples</title> <id>https://localhost:8089/servicesNS/nobody/system/apps/local/dashboard_examples</id> <updated>2014-07-01T10:23:46-07:00</updated> <link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="list"/> <link href="/servicesNS/nobody/system/apps/local/dashboard_examples/_reload" rel="_reload"/> <link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="edit"/> <link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="remove"/> <link href="/servicesNS/nobody/system/apps/local/dashboard_examples/disable" rel="disable"/> <link href="/servicesNS/nobody/system/apps/local/dashboard_examples/package" rel="package"/> <content type="text/xml"> <s:dict> <s:key name="author">Splunk, Inc.</s:key> <s:key name="check_for_updates">1</s:key> <s:key name="configured">0</s:key> <s:key name="description"><![CDATA[Example dashboards, forms, and views for Splunk 5+. This is the succesor app to UI Examples 4.1+. Splunk Dashboard Examples contains over 50 examples updated for Splunk 5. Each example contains inline documenation to help get you started building Splunk dashboards.]]></s:key> <s:key name="details">https://splunkbase.splunk.com/apps/id/dashboard_examples</s:key> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">system</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="eai:attributes"> <s:dict> <s:key name="optionalFields"> <s:list> <s:item>author</s:item> <s:item>check_for_updates</s:item> <s:item>configured</s:item> <s:item>description</s:item> <s:item>label</s:item> <s:item>version</s:item> <s:item>visible</s:item> </s:list> </s:key> <s:key name="requiredFields"> <s:list/> </s:key> <s:key name="wildcardFields"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="label">Splunk Dashboard Examples</s:key> <s:key name="state_change_requires_restart">0</s:key> <s:key name="version">5.0</s:key> <s:key name="visible">1</s:key> </s:dict> </content> </entry>

</feed>


apps/local/{name} POST

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/local/restDemo -d version=1.1
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>localapps</title> <id>https://localhost:8089/services/apps/local</id> <updated>2014-07-01T10:28:35-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <link href="/services/apps/local/_new" rel="create"/> <link href="/services/apps/local/_reload" rel="_reload"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>restDemo</title> <id>https://localhost:8089/servicesNS/nobody/system/apps/local/restDemo</id> <updated>2014-07-01T10:28:35-07:00</updated> <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="list"/> <link href="/servicesNS/nobody/system/apps/local/restDemo/_reload" rel="_reload"/> <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="edit"/> <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="remove"/> <link href="/servicesNS/nobody/system/apps/local/restDemo/package" rel="package"/> <content type="text/xml"> <s:dict> <s:key name="author"></s:key> <s:key name="check_for_updates">1</s:key> <s:key name="configured">0</s:key> <s:key name="description"></s:key> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">system</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>admin</s:item> <s:item>power</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="label">restDemo</s:key> <s:key name="state_change_requires_restart">0</s:key> <s:key name="version">1.1</s:key> <s:key name="visible">1</s:key> </s:dict> </content> </entry>

</feed>


apps/local/{name}/package GET

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/local/restDemo/package
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title></title> <id>https://localhost:8089/services/apps/local</id> <updated>2014-07-01T10:46:43-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <link href="/services/apps/local/_new" rel="create"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>Package</title> <id>https://localhost:8089/services/apps/local/Package</id> <updated>2014-07-01T10:46:43-07:00</updated> <link href="/services/apps/local/Package" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/apps/local/Package/setup" rel="edit"/> <content type="text/xml"> <s:dict> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="name">restDemo</s:key> <s:key name="path">C:\Program Files\Splunk\etc\system\static\app-packages\restDemo.spl</s:key> <s:key name="url">https://ghartsell-t420s:8089/static/app-packages/restDemo.spl</s:key> </s:dict> </content> </entry>

</feed>


apps/local/{name}/setup GET

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/local/unix/setup
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot;> <title>localapps</title> <id>https://localhost:8089/services/apps/local</id> <updated>2011-07-13T11:24:35-07:00</updated> <generator version="102824"/> <author> <name>Splunk</name> </author> <link href="/services/apps/local/_new" rel="create"/> ... opensearch elements elided ... <s:messages/> <entry> <title>unix</title> <id>https://localhost:8089/servicesNS/nobody/unix/apps/local/unix</id> <updated>2011-07-13T11:24:35-07:00</updated> <link href="/servicesNS/nobody/unix/apps/local/unix" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/unix/apps/local/unix/setup" rel="edit"/> <content type="text/xml"> <s:dict> <s:key name="/admin/script/.%252Fbin%252Fcpu.sh/enabled">1</s:key> <s:key name="/admin/script/.%252Fbin%252Fcpu.sh/interval">30</s:key> <s:key name="/admin/script/.%252Fbin%252Fdf.sh/enabled">1</s:key> <s:key name="/admin/script/.%252Fbin%252Fdf.sh/interval">300</s:key> ... elided ... <s:key name="/admin/script/.%252Fbin%252Fwho.sh/enabled">1</s:key> <s:key name="/admin/script/.%252Fbin%252Fwho.sh/interval">150</s:key> ... eai:acl element elided ... ... eai:attributes element elided ... <s:key name="eai:setup">

<![CDATA[<?xml version="1.0" encoding="UTF-8"?> <SetupInfo> <block title="Welcome to the Splunk for nix App"> <text>The Splunk for nix app provides some sample searches and reports to boot-strap your use of Splunk for Unix host management. To work, it needs certain inputs enabled. These system metrics drive the sample dashboards. Please review and confirm the inputs below before proceeding.</text> </block> <block title="CPU Stats (sar / mpstat / etc.)" endpoint="admin/script" entity=".%252Fbin%252Fcpu.sh"> <input field="interval" id="/admin/script/.%252Fbin%252Fcpu.sh/interval"> <label>Polling Interval (sec)</label> <type>text</type> </input> <input field="enabled" id="/admin/script/.%252Fbin%252Fcpu.sh/enabled"> <label>Enable</label> <type>bool</type> </input> </block>

. . .

<block title="Time Query (date, ntpdate -q)" endpoint="admin/script" entity=".%252Fbin%252Ftime.sh"> <input field="interval" id="/admin/script/.%252Fbin%252Ftime.sh/interval"> <label>Polling Interval (sec)</label> <type>text</type> </input> <input field="enabled" id="/admin/script/.%252Fbin%252Ftime.sh/enabled"> <label>Enable</label> <type>bool</type> </input> </block> <block title="Linux Audit Log (/var/log/audit/audit.log | ausearch)" endpoint="admin/script" entity=".%252Fbin%252Frlog.sh"> <input field="interval" id="/admin/script/.%252Fbin%252Frlog.sh/interval"> <label>Polling Interval (sec)</label> <type>text</type> </input> <input field="enabled" id="/admin/script/.%252Fbin%252Frlog.sh/enabled"> <label>Enable</label> <type>bool</type> </input> </block> <block title="Warning"> <text>Submitting this form can take a long time. Please be patient and wait for it to complete before navigating away from this page.</text> </block> </SetupInfo> ]]> </s:key>

</s:dict> </content> </entry>

</feed>


apps/local/{name}/update GET

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/local/gettingstarted/update
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>localapps</title> <id>https://localhost:8089/services/apps/local</id> <updated>2014-07-15T10:34:13-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <link href="/services/apps/local/_new" rel="create"/> <link href="/services/apps/local/_reload" rel="_reload"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>gettingstarted</title> <id>https://localhost:8089/services/apps/local/gettingstarted</id> <updated>2014-07-15T10:34:13-07:00</updated> <link href="/services/apps/local/gettingstarted" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/apps/local/gettingstarted" rel="list"/> <link href="/services/apps/local/gettingstarted/_reload" rel="_reload"/> <link href="/services/apps/local/gettingstarted" rel="edit"/> <link href="/services/apps/local/gettingstarted" rel="remove"/> <content type="text/xml"> <s:dict> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> </s:dict> </content> </entry>

</feed>

Cluster endpoints

Cluster endpoint descriptions

Manage master and peer cluster nodes.

cluster/config


https://<host>:<mPort>/services/cluster/config

Authentication: Not required

Description

Configure and access nodes in a cluster.

Method summary
Method Description Formats
GET List cluster node configuration. XML, JSON

GET cluster/config method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
Attribute Description
cxn_timeout Low-level timeout, in seconds, for establishing connection between cluster nodes. Defaults to 60 seconds.
disabled Indicates if this node is disabled.
forwarderdata_rcv_port The port from which to receive data from a forwarder.
forwarderdata_use_ssl Indicates whether to use SSL when receiving data from a forwarder.
heartbeat_period Only valid for peer nodes in a cluster. The time, in seconds, that a peer attempts to send a heartbeat to the master
heartbeat_timeout Only valid for the master node in a cluster configuration. The time, in seconds, before a master considers a peer down. Once a peer is down, the master initiates steps to replicate buckets from the dead peer to its live peers. Defaults to 60 seconds.
master_uri Valid only for nodes configured as a peer or searchhead.

URI of the cluster master to which this node connects.

max_peer_build_load The number of jobs that a peer can have in progress at any time that make the bucket searchable.
max_peer_rep_load Maximum number of replications that can be ongoing as a target.
mode Valid values: (master | slave | searchhead | disabled) Defaults to disabled.

Sets operational mode for this cluster node. Only one master may exist per cluster.

ping_flag For internal use to facilitate communication between the master and peers.
quiet_period The time, in seconds, that a master waits for peers to add themselves to the cluster.
rcv_timeout Low-level timeout, in seconds, for receiving data between cluster nodes. Defaults to 60 seconds.
register_forwarder_address Not used.

Reserved for future use.

register_replication_address Valid only for nodes configured as peers. The address on which a peer is available for accepting replication data. This is useful in the cases where a peer host machine has multiple interfaces and only one of them can be reached by another splunkd instance.
register_search_address IP address that advertises this indexer to search heads.
rep_cxn_timeout Low-level timeout, in seconds, for establishing a connection for replicating data.
rep_max_rcv_timeout Maximum cumulative time, in seconds, for receiving acknowledgement data from peers. Defaults to 600s.
rep_max_send_timeout Maximum time, in seconds, for sending replication slice data between cluster nodes. Defaults to 600s.
rep_rcv_timeout Low-level timeout, in seconds, for receiving data between cluster nodes.
rep_send_timeout Low-level timeout, in seconds, for sending replication data between cluster nodes. Defaults to 5 seconds.
replication_factor Only valid for nodes configured as a master.

Determines how many copies of raw data are created in the cluster. This could be less than the number of cluster peers.

Must be greater than 0 and greater than or equal to the search factor. Defaults to 3.

replication_port TCP port to listen for replicated data from another cluster member.
replication_use_ssl Indicates whether to use SSL when sending replication data.
restart_timeout Only valid for nodes configured as a master. The amount of time, in seconds, the master waits for a peer to come back when the peer is restarted (to avoid the overhead of trying to fix the buckets that were on the peer). Defaults to 600 seconds.

Note: This only works if the peer is restarted from Splunk Web.

search_factor Only valid for nodes configured as a master. Determines how many searchable copies of each bucket to maintain. Must be less than or equal to replication_factor and greater than 0. Defaults to 2.
secret Secret shared among the nodes in the cluster to prevent any arbitrary node from connecting to the cluster. If a peer or searchhead is not configured with the same secret as the master, it is not able to communicate with the master.

Corresponds to pass4SymmKey setting in server.conf.

send_timeout Low-level timeout, in seconds, for sending data between cluster nodes. Defaults to 60 seconds.

[ Top ]



cluster/master/buckets


https://<host>:<mPort>/services/cluster/master/buckets

Authentication: Not required

Description

Provides bucket configuration information for a cluster master node.


Method summary
Method Description Formats
GET Lists cluster master node bucket configuration. XML, JSON

GET cluster/master/buckets method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
Attribute Description
bucket_size Indicates the size, in bytes, of the bucket.
constrain_to_origin_site Flag indicating this particular bucket is a clustered pre-multisite bucket. Such buckets are replicated only within their origin site.
force_roll Flag indicating hot bucket needs to be force to roll by master. Usually when hot bucket does not have enough streaming targets to meet the policy.
frozen Indicates if the bucket is frozen.
index Name of the index to which the bucket belongs.
origin_site Where the bucket originated.
peers Lists information about buckets on peers to this master.
primaries_by_site Primary peer (GIUD).
rep_count_by_site Number of buckets.
search_count_by_site Number of searchable buckets.
service_after_time Bucket service is deferred until after this time.
standalone Indicates if the bucket was created on the peer before the peer entered into a cluster configuration with this master.

[ Top ]



cluster/master/buckets/{name}


https://<host>:<mPort>/services/cluster/master/buckets/{name}

Authentication: Not required

Description

Access bucket configuration information.

Method summary
Method Description Formats
GET List bucket configuration information. XML, JSON

GET cluster/master/buckets/{name} method detail

Example

Request parameters

The filter parameter of the Pagination and filtering parameters can be used with this method.


Response data keys
Name Description
bucket_size Indicates the size, in bytes, of the bucket.
constrain_to_origin_site Flag indicating this particular bucket is a clustered pre-multisite bucket. Such buckets are replicated only within their origin site.
force_roll Flag indicating hot bucket needs to be force to roll by master. Usually when hot bucket does not have enough streaming targets to meet the policy.
frozen Indicates if the bucket is frozen.
index Name of the index to which the bucket belongs.
origin_site Where the bucket originated.
peers Lists information about buckets on peers to this master.
primaries_by_site Primary peer (GIUD).
rep_count_by_site Number of buckets.
search_count_by_site Number of searchable buckets.
service_after_time Bucket service is deferred until after this time.
standalone Indicates if the bucket was created on the peer before the peer entered into a cluster configuration with this master.

[ Top ]



cluster/master/control/control/rebalance_primaries


https://<host>:<mPort>/services/cluster/master/control/control/rebalance_primaries

Authentication: Not required

Description

Rebalance primary buckets across peers.

Method summary
Method Description Formats
POST Rebalance primary buckets across all peers of this master. XML, JSON

POST cluster/master/control/control/rebalance_primaries method detail

Example

Request parameters

None

Response data keys

None

[ Top ]



cluster/master/control/control/remove_peers


https://<host>:<mPort>/services/cluster/master/control/control/remove_peers

Authentication: Not required

Description

Remove one or more peers.

See also

cluster/master/peers

Method summary
Method Description Formats
POST Remove one or more peers. XML, JSON

POST cluster/master/control/control/remove_peers method detail

Example

Request parameters
Name Type Default Description
peers
required
String One or more comma-separated peer GUIDs.
Response data keys

None

Application usage

If peer status is not Down or GracefulShutdown, the interface returns the following error message:


<response>
  <messages>
    <msg type="ERROR">
 In handler 'clustermastercontrol': Remove aborted, Reason: Peer=<hostname> with guid=<peerID> cannot be removed. Peer has status=Up. Only peers with status=Down (or) GracefulShutdown can be removed.</msg>
  </messages>
</response>

[ Top ]



cluster/master/generation


https://<host>:<mPort>/services/cluster/master/generation

Authentication: Not required

Description

Access current generation cluster master information.

Method summary
Method Description Formats
GET List peer nodes participating in the current generation for this master. XML, JSON
POST Create a cluster generation. XML, JSON

GET cluster/master/generation method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
generation_id The ID for the current generation for this master.
generation_peers Lists the peers for this generation of the cluster.
pending_generation_id The next generation ID used by the master when committing a new generation.

This value is useful for debugging.

pending_last_attempt The timestamp of the last attempt to commit to the pending generation ID (if ever).
pending_last_reason The reason why this peer failed to commit to the pending generation.

This parameter is EMPTY if no such attempt was made.


POST cluster/master/generation method detail

Example

Request parameters
Name Type Default Description
name
required
String The URI of the searchhead node of a cluster upon which to create a new generation.
generation_poll_interval Number How often, in seconds, the searchhead polls the master for generation information.

Defaults to 60 seconds.

label String Server name for the Splunk Enterprise instance specified by the name attribute.
mgmt_port String The managment port of searchhead node in a cluster upon which you are creating a new generation.
register_search_address String The address on which a peer node is available as search head.

This is useful in the cases where a splunk host machine has multiple interfaces and only one of them can be reached by another splunkd instance.

Response data keys
Name Description
generation_id The ID for the current generation for this master.
generation_peers Lists the peers for this generation of the cluster.
pending_generation_id The next generation ID used by the master when committing a new generation.

This value is useful for debugging.

pending_last_attempt The timestamp of the last attempt to commit to the pending generation ID (if ever).
pending_last_reason The reason why this peer failed to commit to the pending generation.

This parameter is EMPTY if no such attempt was made.

replication_factor_met Indicates if the replication factor was met for the cluster.
search_factor_met Indicates if the search factor was met for the cluster.
was_forced Indicates next generation was forcibly committed.

[ Top ]



cluster/master/generation/{name}


https://<host>:<mPort>/services/cluster/master/generation/{name}

Authentication: Not required

Description

Access information about a peer node participating in the current generation for the specified search head GUID.

Method summary
Method Description Formats
GET List peer node information of the specified search head GUID. XML, JSON
POST Create a new generation for the specified search head GUID. XML, JSON

GET cluster/master/generation/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
generation_id The ID of the current generation for this master.
generation_peers Lists the peers for this generation of the cluster.
pending_generation_id The next generation ID used by the master when committing a new generation.

This value is useful for debugging.

pending_last_attempt The timestamp of the last attempt to commit to the pending generation ID (if ever).
pending_last_reason The reason why this peer failed to commit to the pending generation.

This parameter is EMPTY if no such attempt was made.


POST cluster/master/generation/{name} method detail

Example

Request parameters
Name Type Default Description
generation_poll_interval Number How often, in seconds, the searchhead polls the master for generation information.

Defaults to 60 seconds.

label String Server name for the search head specified by {name}.
mgmt_port String The managment port of searchhead node in a cluster upon which you are creating a new generation.
register_search_address String The address on which a peer node is available as search head.

This is useful in the cases where a splunk host machine has multiple interfaces and only one of them can be reached by another splunkd instance.

Response data keys
Name Description
generation_id The ID for the current generation for this master.
generation_peers Lists the peers for this generation of the cluster.
pending_generation_id The next generation ID used by the master when committing a new generation.

This value is useful for debugging.

pending_last_attempt The timestamp of the last attempt to commit to the pending generation ID (if ever).
pending_last_reason The reason why this peer failed to commit to the pending generation.

This parameter is EMPTY if no such attempt was made.

replication_factor_met Indicates if the replication factor was met for the cluster.
search_factor_met Indicates if the search factor was met for the cluster.
was_forced Indicates next generation was forcibly committed.

[ Top ]



cluster/master/indexes


https://<host>:<mPort>/services/cluster/master/indexes

Authentication: Not required

Description

Access cluster index information.

Method summary
Method Description Formats
GET Lists cluster indices. XML, JSON

GET cluster/master/indexes method detail

Example

Request parameters

None

Response data keys
Attribute Description
buckets_with_excess_copies Number of distinct buckets that have one or more excess replication copies.
buckets_with_excess_searchable_copies Number of distinct buckets that have one or more excess searchable copies.
index_size Size of the index
is_searchable When every bucket in the index has a primary, the index is considered "searchable".
non_site_aware_buckets_in_site_aware_cluster Number of buckets created when the cluster was not in a multisite config. (Included only when the cluster is in multisite config.)
num_buckets Total number of distinct buckets.
replicated_copies_tracker Displays how many distinct buckets have X number of copies.
AttributeDescription
actual_copies_per_slotNumber of buckets with X copies.
expected_total_per_slotExpected number of buckets with X copies.
searchable_copies_tracker Displays how many distinct buckets have X number of searchable copies.
AttributeDescription
actual_copies_per_slotNumber of buckets with X searchable copies.
expected_total_per_slotExpected number of buckets with X searchable copies.
sort_order Used by UI.
total_excess_bucket_copies Total number of excess copies for all buckets.
total_excess_searchable_copies Total number of excess searchable copies for all buckets.

[ Top ]



cluster/master/indexes/{name}


https://<host>:<mPort>/services/cluster/master/indexes/{name}

Authentication: Not required

Description

Access specific cluster index information.

Method summary
Method Description Formats
GET Lists index information. XML, JSON

GET cluster/master/indexes/{name} method detail

Example

Request parameters

None

Response data keys
Attribute Description
buckets_with_excess_copies Number of distinct buckets that have one or more excess replication copies.
buckets_with_excess_searchable_copies Number of distinct buckets that have one or more excess searchable copies.
index_size Size of the index
is_searchable When every bucket in the index has a primary, the index is considered "searchable".
non_site_aware_buckets_in_site_aware_cluster Number of buckets created when the cluster was not in a multisite config. (Included only when the cluster is in multisite config.)
num_buckets Total number of distinct buckets.
replicated_copies_tracker Displays how many distinct buckets have X number of copies.
AttributeDescription
actual_copies_per_slotNumber of buckets with X copies.
expected_total_per_slotExpected number of buckets with X copies.
searchable_copies_tracker Displays how many distinct buckets have X number of searchable copies.
AttributeDescription
actual_copies_per_slotNumber of buckets with X searchable copies.
expected_total_per_slotExpected number of buckets with X searchable copies.
sort_order Used by UI.
total_excess_bucket_copies Total number of excess copies for all buckets.
total_excess_searchable_copies Total number of excess searchable copies for all buckets.

[ Top ]



cluster/master/info


https://<host>:<mPort>/services/cluster/master/info

Authentication: Not required

Description

Access information about cluster master node.

Method summary
Method Description Formats
GET List cluster master node details. XML, JSON

GET cluster/master/info method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
active_bundle Provides information about the active bundle for this master.
bundle_creation_time_on_master The time, in epoch seconds, when the bundle was created on the master.
bundle_validation_errors_on_master A list of bundle validation errors.
bundle_validation_in_progress Indicates if bundle validation is in progress.
bundle_validation_on_master_succeeded Indicates whether the master succeeded validating bundles.
data_safety_buckets_to_fix Lists the buckets to fix for the completion of data safety.
gen_commit_buckets_to_fix The buckets to be fixed before the next generation can be committed.
indexing_ready_flag Indicates if the cluster is ready for indexing.
initialized_flag Indicates if the cluster is initialized.
label The name for the master that is displayed in the Splunk Enterprise Manager page.
latest_bundle The most recent information reflecting any changes made to the master-apps configuration bundle.

In steady state, this is equal to active_bundle. If it is not equal, then pushing the latest bundle to all peers is in process (or needs to be started).

maintenance_mode Indicates if the cluster is in maintenance mode.
reload_bundle_issued Indicates if the bundle issued is being reloaded.
rep_count_buckets_to_fix Number of buckets to fix on peers.
rolling_restart_flag Indicates whether the master is restarting the peers in a cluster.
search_count_buckets_to_fix Number of buckets to fix to satisfy the search count.
service_ready_flag Indicates whether the master is ready to begin servicing, based on whether it is initialized.
start_time Timestamp corresponding to the creation of the master.

[ Top ]



cluster/master/peers


https://<host>:<mPort>/services/cluster/master/peers

Authentication: Not required

Description

Access cluster master peers.

See also

cluster/master/control/control/remove_peers

Method summary
Method Description Formats
GET List cluster master peers. XML, JSON

GET cluster/master/peers method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
active_bundle_id The ID of the configuration bundle currently being used by the master.
apply_bundle_status Bundle status enumeration.
base_generation_id The initial bundle generation ID recognized by this peer. Any searches from previous generations fail.

The initial bundle generation ID is created when a peer first comes online, restarts, or recontacts the master.

bucket_count Count of the number of buckets on this peer, across all indexes.
bucket_count_by_index Count of the number of buckets by index on this peer.
delayed_buckets_to_discard List of bucket IDs waiting to be discarded on this peer.
fixup_set The set of buckets that need repair once you take the peer offline.
heartbeat_started Flag indicating if this peer has started heartbeating.
host_port_pair The host and port advertised to peers for the data replication channel.

Can be either of the form IP:port or hostname:port.

is_searchable Flag indicating if this peer belongs to the current committed generation and is searchable.
label The name for the peer that is displayed in the Splunk Enterprise Manager page.
last_heartbeat Timestamp for last heartbeat recieved from the peer.
latest_bundle_id The ID of the configuration bundle this peer is using.
pending_job_count Used by the master to keep track of pending jobs requested by the master to this peer.
primary_count Number of buckets for which the peer is primary in its local site, or the number of buckets that return search results from same site as the peer.
primary_count_remote Number of buckets for which the peer is primary that are not in its local site.
replication_count Number of replications this peer is part of, as either source or target.
replication_port TCP port to listen for replicated data from another cluster member.
replication_use_ssl Indicates whether to use SSL when sending replication data.
search_state_counter Lists the number of buckets on the peer for each search state for the bucket.

Possible values for search state include:

Searchable
Unsearchable
site To which site the peer belongs.
status Indicates the status of the peer.

Valid values are:

Up
Down
Pending
Detention
Restarting
DecommAwaitPeer
DecommFixingBuckets
Decommissioned
status_counter Lists the number of buckets on the peer for each bucket status.

Possible values for bucket status:

Complete: complete (warm/cold) bucket
NonStreamingTarget: target of replication for already completed (warm/cold) bucket
PendingTruncate: bucket pending truncation
PendingDiscard: bucket pending discard
Standalone: bucket that is not replicated
StreamingError: copy of streaming bucket where some error was encountered
StreamingSource: streaming hot bucket on source side
StreamingTarget: streaming hot bucket copy on target side
Unset: uninitialized

[ Top ]



cluster/master/peers/{name}


https://<host>:<mPort>/services/cluster/master/peers/{name}

Authentication: Not required

Description

Access specified peer.

Method summary
Method Description Formats
GET Get {name} peer information. XML, JSON

GET cluster/master/peers/{name} method detail

Example

Request parameters
Name Type Default Description
list_buckets Boolean Indicates whether to list the buckets for the peers to this master.
Response data keys
Name Description
active_bundle_id The ID of the configuration bundle currently being used by the master.
apply_bundle_status Bundle status enumeration.
base_generation_id The initial bundle generation ID recognized by this peer. Any searches from previous generations fail.

The initial bundle generation ID is created when a peer first comes online, restarts, or recontacts the master.

bucket_count Count of the number of buckets on this peer, across all indexes.
bucket_count_by_index Count of the number of buckets by index on this peer.
delayed_buckets_to_discard List of bucket IDs waiting to be discarded on this peer.
fixup_set The set of buckets that need repair once you take the peer offline.
heartbeat_started Flag indicating if this peer has started heartbeating.
host_port_pair The host and port advertised to peers for the data replication channel.

Can be either of the form IP:port or hostname:port.

is_searchable Flag indicating if this peer belongs to the current committed generation and is searchable.
label The name for the peer that is displayed in the Splunk Enterprise Manager page.
last_heartbeat Timestamp for last heartbeat recieved from the peer.
latest_bundle_id The ID of the configuration bundle this peer is using.
pending_job_count Used by the master to keep track of pending jobs requested by the master to this peer.
primary_count Number of buckets for which the peer is primary in its local site, or the number of buckets that return search results from same site as the peer.
primary_count_remote Number of buckets for which the peer is primary that are not in its local site.
replication_count Number of replications this peer is part of, as either source or target.
replication_port TCP port to listen for replicated data from another cluster member.
replication_use_ssl Indicates whether to use SSL when sending replication data.
search_state_counter Lists the number of buckets on the peer for each search state for the bucket.

Possible values for search state include:

Searchable
Unsearchable
site To which site the peer belongs.
status Indicates the status of the peer.

Valid values are:

Up
Down
Pending
Detention
Restarting
DecommAwaitPeer
DecommFixingBuckets
Decommissioned
status_counter Lists the number of buckets on the peer for each bucket status.

Possible values for bucket status:

Complete: complete (warm/cold) bucket
NonStreamingTarget: target of replication for already completed (warm/cold) bucket
PendingTruncate: bucket pending truncation
PendingDiscard: bucket pending discard
Standalone: bucket that is not replicated
StreamingError: copy of streaming bucket where some error was encountered
StreamingSource: streaming hot bucket on source side
StreamingTarget: streaming hot bucket copy on target side
Unset: uninitialized

[ Top ]



cluster/master/sites


https://<host>:<mPort>/servicescluster/master/sites

Authentication: Not required

Description

Access cluster site information.

Method summary
Method Description Formats
GET List available cluster sites. XML, JSON

GET cluster/master/sites method detail

Example

Request parameters

None

Response data keys
Name Description
peers Peers list of host:port and server name.

[ Top ]



cluster/master/sites/{name}


https://<host>:<mPort>/services/cluster/master/sites/{name}

Authentication: Not required

Description

Access specific cluster site information.

Method summary
Method Description Formats
GET List specific cluster site information. XML, JSON

GET cluster/master/sites/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
peers Site peer reference, for each peer:
AttributeDescription
host_port_pairPeer port number.
server_namePeer server name.

[ Top ]



cluster/searchhead/generation


https://<host>:<mPort>/services/cluster/searchhead/generation

Authentication: Not required

Description

Access peer information in a cluster searchhead.

Method summary
Method Description Formats
GET List peers available to a cluster searchhead. XML, JSON

GET cluster/searchhead/generation method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
generation_id The current generation ID for this searchhead, which is part of a cluster configuration.

The search head uses this information to determine which buckets to search across.

generation_peers List of peer nodes for the current generation in the cluster configuration for this searchhead.

[ Top ]



cluster/searchhead/generation/{name}


https://<host>:<mPort>/services/cluster/searchhead/generation/{name}

Authentication: Not required

Description

Access peer of the master URI.

Method summary
Method Description Formats
GET Get {name} searchhead generation ID and generation peers. XML, JSON

GET cluster/searchhead/generation/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
generation_id The current generation ID for this searchhead, which is part of a cluster configuration.

The search head uses this information to determine which buckets to search across.

generation_peers List of peer nodes for the current generation in the cluster configuration for this searchhead.

[ Top ]



cluster/searchhead/searchheadconfig


https://<host>:<mPort>/services/cluster/searchhead/searchheadconfig

Authentication: Not required

Description

Access cluster searchhead node configuration.

Method summary
Method Description Formats
GET List this cluster search head node configuration. XML, JSON
POST Configure this server as a cluster searchhead node. XML, JSON

GET cluster/searchhead/searchheadconfig method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys

None


POST cluster/searchhead/searchheadconfig method detail

Example

Request parameters
Name Type Default Description
name
required
String The URI of the master node in the cluster.
secret
required
String Secret shared among the nodes in the cluster to prevent any arbitrary node from connecting to the cluster. If a peer or searchhead is not configured with the same secret as the master, it is not able to communicate with the master.

Corresponds to pass4SymmKey setting in server.conf.

Response data keys

None

[ Top ]



cluster/searchhead/searchheadconfig/{name}


https://<host>:<mPort>/services/cluster/searchhead/searchheadconfig/{name}

Authentication: Not required

Description

Manage node in a cluster.

Method summary
Method Description Formats
DELETE Remove node from cluster. XML, JSON
GET List cluster search head node configuration. XML, JSON
POST Update cluster search head node configuration. XML, JSON

DELETE cluster/searchhead/searchheadconfig/{name} method detail

Example

Request parameters

None

Response data keys

None


GET cluster/searchhead/searchheadconfig/{name} method detail

Example

Request parameters

None

Response data keys

None


POST cluster/searchhead/searchheadconfig/{name} method detail
Request parameters
Name Type Default Description
master_uri String The URI of the master node in the cluster for which this searchhead is configured.
secret String Secret shared among the nodes in the cluster to prevent any arbitrary node from connecting to the cluster. If a peer or searchhead is not configured with the same secret as the master, it is not able to communicate with the master.

Corresponds to pass4SymmKey setting in server.conf.

Response data keys

None

[ Top ]



cluster/slave/buckets


https://<host>:<mPort>/services/cluster/slave/buckets

Authentication: Not required

Description

Access cluster peers bucket configuration.

Method summary
Method Description Formats
GET List cluster peers bucket configuration. XML, JSON

GET cluster/slave/buckets method detail

Example

Request parameters
Name Type Default Description
generation_id String The generation ID for this peer. For each generation, the master server in a cluster configuration assigns generation IDs. A generation identifies which copies of a cluster's buckets are primary and therefore can participate in a search.

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
checksum Used internally to identify this bucket.
earliest_time Indicates the time of the earliest event in this bucket.
generation_id The generation ID for this peer.
generations A sparse list of generation id to bucket primacy for the given peer.
latest_time Indicates the time for the latest event in this bucket.
search_state Indicates if the bucket is searchable.

Possible values:

Searchable
Unsearchable
status Indicates the status of this bucket.

Possible values:

Complete: Copy of this bucket contains the full complement of information
StreamingSource: The copy of this bucket is sending data to peer nodes for replication
StreamingTarget: The copy of this bucket is receiving replicated data.
NonStreamingTarget: This copy of a warm bucket replication is in progress. Once replication is complete, the status changes to Complete.
StreamingError: the copy of this bucket encountered errors while streaming data.
PendingTruncate: The master asked the peer to truncate this copy of the bucket to a certain size and is waiting for confirmation.
PendingDiscard: The master asked the peer to discard this copy of the bucket (for whatever reason, and is waiting for confirmation.
Standalone: A bucket in the cluster that is not replicated.

[ Top ]



cluster/slave/buckets/{name}


https://<host>:<mPort>/services/cluster/slave/buckets/{name}

Authentication: Not required

Description

Manage peer buckets.

Method summary
Method Description Formats
DELETE Remove specified bucket from peer node. XML, JSON
GET List peer specified bucket information. XML, JSON

DELETE cluster/slave/buckets/{name} method detail

Example

Request parameters
Name Type Default Description
bucket_id
required
Sring The identifier for the bucket to remove.
Response data keys

None


GET cluster/slave/buckets/{name} method detail

Example

Request parameters
Name Type Default Description
generation_id String The generation ID for this peer. For each generation, the master server in a cluster configuration assigns generation IDs. A generation identifies which copies of a cluster's buckets are primary and therefore can participate in a search.
Response data keys
Name Description
checksum Used internally to identify this bucket.
earliest_time Indicates the time of the earliest event in this bucket.
generation_id The generation ID for this peer.
generations A sparse list of generation id to bucket primacy for the given peer.
latest_time Indicates the time for the latest event in this bucket.
search_state Indicates if the bucket is searchable.

Possible values:

Searchable
Unsearchable
status Indicates the status of this bucket.

Possible values:

Complete: Copy of this bucket contains the full complement of information
StreamingSource: The copy of this bucket is sending data to peer nodes for replication
StreamingTarget: The copy of this bucket is receiving replicated data.
NonStreamingTarget: This copy of a warm bucket replication is in progress. Once replication is complete, the status changes to Complete.
StreamingError: the copy of this bucket encountered errors while streaming data.
PendingTruncate: The master asked the peer to truncate this copy of the bucket to a certain size and is waiting for confirmation.
PendingDiscard: The master asked the peer to discard this copy of the bucket (for whatever reason, and is waiting for confirmation.
Standalone: A bucket in the cluster that is not replicated.

[ Top ]



cluster/slave/info


https://<host>:<mPort>/services/cluster/slave/info

Authentication: Not required

Description

Access cluster peer node information.

Method summary
Method Description Formats
GET List peer information. XML, JSON

GET cluster/slave/info method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
active_bundle Current bundle being used by this peer.
base_generation_id The initial bundle generation ID recognized by this peer. Any searches from previous generations fail.

The initial bundle generation ID is created when a peer first comes online, restarts, or recontacts the master.

invalid_bundle_ids List of bundle ids with validation errors in the peer.
is_registered Indicates if this peer is registered with the master in the cluster.
last_heartbeat_attempt Timestamp for the last attempt to contact the master.
latest_bundle Lists information about the most recent bundle downloaded from the master.
restart_state Indicates whether the peer needs to be restarted to enable its cluster configuration.
status Indicates the status of the peer.

Possible values:

Up
Down
Pending
Detention
Restarting
DecommAvaitingPeer
DecommFixingBuckets
Decommissioned

[ Top ]

shcluster/captain/artifacts


https://<host>:<mPort>/services/shcluster/captain/artifacts

Authentication: Not required

Description

Provides list of artifacts and replicas for a searchhead cluster.

An artifact in search head clustering is a managed search directory. Currently only scheduled search results directories are managed, and replicated according to replication policy. This endpoint can only be accessed on the captain. The artifacts listed are all the artifacts that are currently managed by the captain across the searchhead cluster, present on the various members. NB: adhoc searches are not considered artifacts and are not listed.

Method summary
Method Description Formats
GET Lists searchhead cluster artifacts and replicas XML, JSON
GET shcluster/captain/artifacts method detail

Example

Request parameters
Name Type Default Description
remote_sids
required
Bool Set this to true to return the searches that the captain is seeing. Will include adhoc searches on remote members.
Response data keys
artifact_size Artifact size, in bytes.
origin_guid Guid of the origin peer where this artifact was created/search was run.
peers Lists information about replicas of this artifact on members of this searchhead cluster.
service_after_time Artifact service/fixup is deferred until after this time.

[ Top ]

shcluster/captain/artifacts/{name}


https://<host>:<mPort>/services/shcluster/captain/artifacts/{name}

Authentication: Not required

Description

Get artifact information for a specific artifact.

Method summary
Method Description Formats
GET Get artifact information, size, replicas and earliest service time. XML, JSON
GET shcluster/captain/artifacts/{name} method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
artifact_size Artifact size, in bytes.
origin_guid Guid of the origin peer where this artifact was created.
peers Lists information about artifacts on members of this captain.
service_after_time Artifact service is deferred until after this time.

[ Top ]

shcluster/captain/info


https://<host>:<mPort>/services/shcluster/captain/info

Authentication: Not required

Description

Access information about searchhead cluster captain node.

Method summary
Method Description Formats
GET List searchhead cluster captain node details. XML, JSON

GET shcluster/captain/info method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
elected_captain Time when the current captain was elected
id Id of this SH cluster. This is used as the unique identifier for the Search Head Cluster in bundle replication and acceleration summary management.
initialized_flag Indicates if the searchhead cluster is initialized.
label The name for the captain that is displayed in the Splunk Enterprise Manager page.
maintenance_mode Indicates if the cluster is in maintenance mode.
min_peers_joined_flag Flag to indicate if more then replication_factor peers have joined the cluster.
peer_scheme_host_port URI of the current captain.
rolling_restart_flag Indicates whether the captain is restarting the members in a searchhead cluster.
service_ready_flag Indicates whether the captain is ready to begin servicing, based on whether it is initialized.
start_time Timestamp corresponding to the creation of the captain.

[ Top ]

shcluster/captain/jobs


https://<host>:<mPort>/services/shcluster/captain/jobs

Authentication: Not required

Description

List running and recently finished jobs for all cluster members.

Method summary
Method Description Formats
GET Cluster-wide list of running and recently finished jobs XML, JSON

GET shcluster/captain/jobs method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys

For each job:

ATTEMPT_[n] dispatch_time - The UTC time of dispatch for the job
errormsg - If the job failed, capturing the reason for failure
peer - GUID of the member that the job was sent to
sid - the search id of this attempt
success - a boolean for success/failure of the job
job_state Job State can be SCHEDULED/DISPATCHED/COMPLETED. A SCHEDULED job has been received by the captain from the scheduler to schedule. A DISPATCHED job has started to run on a remote member. A COMPLETED job has finished running on the remote member.
saved_search The name of the saved-search from the associated savedsearches.conf file.
savedsearchtype The scheduler manages three kinds of scheduled jobs, regular savedsearch for both realtime and historical, autosummary report acceleration build searches, and tsidx tsidx build searches.
search_app The application in which the savedsearch was created.
search_owner The owner of the saved search.

[ Top ]

shcluster/captain/jobs/{name}


https://<host>:<mPort>/services/shcluster/captain/jobs/{name}

Authentication: Not required

Description

Get running and recently finished jobs for {name} cluster.

Method summary
Method Description Formats
GET Get running and recently finished jobs. XML, JSON

GET shcluster/captain/jobs/{name} method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
ATTEMPT_[n] dispatch_time - The UTC time of dispatch for the job
errormsg - If the job failed, capturing the reason for failure
peer - GUID of the member that the job was sent to
sid - the search id of this attempt
success - a boolean for success/failure of the job
job_state Job State can be SCHEDULED/DISPATCHED/COMPLETED. A SCHEDULED job has been received by the captain from the scheduler to schedule. A DISPATCHED job has started to run on a remote member. A COMPLETED job has finished running on the remote member.
saved_search The name of the saved-search from the associated savedsearches.conf file.
savedsearchtype The scheduler manages three kinds of scheduled jobs, regular savedsearch for both realtime and historical, autosummary report acceleration build searches, and tsidx tsidx build searches.
search_app The application in which the savedsearch was created.
search_owner The owner of the saved search.

[ Top ]

shcluster/captain/members


https://<host>:<mPort>/services/shcluster/captain/members

Authentication: Not required

Description

Lists the search head cluster members.

Method summary
Method Description Formats
GET List cluster members. XML, JSON

GET shcluster/captain/members method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
adhoc_searchhead Flag to indicate if this member does not run scheduled searches.
advertise_restart_required Flag to indicate if this peer advertised that it needed a restart.
artifact_count Number of artifacts on this peer
delayed_artifacts_to_discard List of artifacts waiting to be deleted from this peer.
fixup_set N/A
host_port_pair The host and management port advertised by this peer.
kv_store_host_port Host and port of the kv store instance of this member.
label The name for this member that is displayed in the Splunk Enterprise Manager page.
last_heartbeat Timestamp for last heartbeat recieved from the peer
peer_scheme_host_port URI of the current captain.
pending_job_count Used by the captain to keep track of pending jobs requested by the captain to this member.
replication_count Number of replications this peer is part of, as either source or target.
replication_port TCP port to listen for replicated data from another cluster member.
replication_use_ssl Indicates whether to use SSL when sending replication data.
site N/A
status Indicates the status of the member.

Valid values are:

Up
Down
Pending
Detention
Restarting
DecommAwaitPeer
DecommFixingBuckets
Decommissioned
status_counter Lists the number of buckets on the peer for each bucket status.

Possible values for bucket status:

Complete: complete (warm/cold) bucket
NonStreamingTarget: target of replication for already completed (warm/cold) bucket
PendingTruncate: bucket pending truncation
PendingDiscard: bucket pending discard
Standalone: bucket that is not replicated
StreamingError: copy of streaming bucket where some error was encountered
StreamingSource: streaming hot bucket on source side
StreamingTarget: streaming hot bucket copy on target side
Unset: uninitialized

[ Top ]

shcluster/captain/members/{name}


https://<host>:<mPort>/services/shcluster/captain/members/{name}

Authentication: Not required

Description

Get information about the {name} searchhead cluster member.

Method summary
Method Description Formats
GET Get information about the {name} searchhead cluster member. XML, JSON

GET shcluster/captain/members/{name} method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
adhoc_searchhead Flag to indicate if this member does not run scheduled searches.
advertise_restart_required Flag to indicate if this peer advertised that it needed a restart.
artifact_count Number of artifacts on this peer.
delayed_artifacts_to_discard List of artifacts waiting to be deleted from this peer.
fixup_set N/A
host_port_pair The host and management port advertised by this peer.
kv_store_host_port Host and port of the kv store instance of this member.
label The name for this member displayed in the Splunk Enterprise Manager page.
last_heartbeat Timestamp for last heartbeat recieved from the peer
peer_scheme_host_port URI of the current captain.
pending_job_count Used by the master to keep track of pending jobs requested by the master to this peer.
replication_count Number of replications this peer is part of, as either source or target.
replication_port TCP port to listen for replicated data from another cluster member.
replication_use_ssl Indicates whether to use SSL when sending replication data.
site N/A
status Indicates the status of the member.

Valid values are:

Up
Down
Pending
Detention
Restarting
DecommAwaitPeer
DecommFixingBuckets
Decommissioned
status_counter Lists the number of buckets on the peer for each bucket status.

Possible values for bucket status:

Complete: complete (warm/cold) bucket
NonStreamingTarget: target of replication for already completed (warm/cold) bucket
PendingTruncate: bucket pending truncation
PendingDiscard: bucket pending discard
Standalone: bucket that is not replicated
StreamingError: copy of streaming bucket where some error was encountered
StreamingSource: streaming hot bucket on source side
StreamingTarget: streaming hot bucket copy on target side
Unset: uninitialized

[ Top ]

shcluster/config


https://<host>:<mPort>/services/shcluster/config

Authentication: Not required

Description

List searchhead cluster node configuration.

Method summary
Method Description Formats
GET List searchhead cluster node configuration. XML, JSON

GET shcluster/config method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
cxn_timeout Low-level timeout, in seconds, for establishing connection between searchhead cluster nodes. Defaults to 60 seconds.
disabled Indicates if this node is disabled.
heartbeat_period Only valid for member nodes in a searchhead cluster. The time, in seconds, that a member attempts to send a heartbeat to the captain
heartbeat_timeout Only valid for the captain node in a searchhead cluster configuration. The time, in seconds, before a captain considers a member down. Once a member is down, the captain initiates steps to replicate artifacts from the dead member to its live members. Defaults to 60 seconds.
id Id of the SH cluster this member is a part of.
max_peer_rep_load Maximum number of replications that can be ongoing as a target.
mode slave | searchhead | disabled) Defaults to disabled.

Sets operational mode for this searchhead cluster node. Only one captain may exist per searchhead cluster.

percent_peers_to_restart Percentage of peers to restart at the same time when doing a rolling restart.
ping_flag For internal use to facilitate communication between the captain and members.
quiet_period The time, in seconds, that a captain waits for members to add themselves to the searchhead cluster.
rcv_timeout Low-level timeout, in seconds, for receiving data between searchhead cluster nodes. Defaults to 60 seconds.
register_replication_address Valid only for nodes configured as members. The address on which a member is available for accepting replication data. This is useful in the cases where a member host machine has multiple interfaces and only one of them can be reached by another splunkd instance.
rep_cxn_timeout Low-level timeout, in seconds, for establishing a connection for replicating data.
rep_max_rcv_timeout Maximum cumulative time, in seconds, for receiving acknowledgement data from members. Defaults to 600s.
rep_max_send_timeout Maximum time, in seconds, for sending replication slice data between searchhead cluster nodes. Defaults to 600s.
rep_rcv_timeout Low-level timeout, in seconds, for receiving data between searchhead cluster nodes.
rep_send_timeout Low-level timeout, in seconds, for sending replication data between searchhead cluster nodes. Defaults to 5 seconds.
replication_factor Only valid for nodes configured as a captain.

Determines how many copies of raw data are created in the searchhead cluster. This could be less than the number of searchhead cluster members.

Must be greater than 0 and greater than or equal to the search factor. Defaults to 3.

replication_port TCP port to listen for replicated data from another searchhead cluster member.
replication_use_ssl Indicates whether to use SSL when sending replication data.
restart_timeout Only valid for nodes configured as a captain. The amount of time, in seconds, the captain waits for a member to come back when the member is restarted (to avoid the overhead of trying to fix the artifacts that were on the member). Defaults to 600 seconds.

Note: This only works if the member is restarted from Splunk Web.

secret Secret shared among the nodes in the searchhead cluster to prevent any arbitrary node from connecting to the searchhead cluster. If a member or searchhead is not configured with the same secret as the captain, it is not able to communicate with the captain.

Corresponds to pass4SymmKey setting in server.conf.

send_timeout Low-level timeout, in seconds, for sending data between searchhead cluster nodes. Defaults to 60 seconds.

[ Top ]

shcluster/member/artifacts


https://<host>:<mPort>/services/shcluster/member/artifacts

Authentication: Not required

Description

Manage searchhead cluster member artifact configuration.

Method summary
Method Description Formats
GET List searchhead cluster members artifact configuration. XML, JSON
GET shcluster/member/artifacts method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys

For each member:

status Indicates the status of this artifact. Possible values:
Complete: Copy of this artifact contains the full complement of information.
StreamingSource: The copy of this artifact is sending data to member nodes for replication.
StreamingTarget: The copy of this artifact is receiving replicated data.
NonStreamingTarget: This copy of a warm artifact replication is in progress. Once replication is complete, the status changes to Complete.
StreamingError: the copy of this artifact encountered errors while streaming data.
PendingTruncate: The captain asked the member to truncate this copy of the artifact to a certain size and is waiting for confirmation.
PendingDiscard: The captain asked the member to discard this copy of the artifact (for whatever reason, and is waiting for confirmation.
Standalone: A artifact in the searchhead cluster that is not replicated.

[ Top ]

shcluster/member/artifacts/{name}


https://<host>:<mPort>/services/shcluster/member/artifacts/{name}

Authentication: Not required

Description

Get {name} member artifact configuration.

Method summary
Method Description Formats
GET List {name} member artifact information. XML, JSON
GET shcluster/member/artifacts/{name} method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
status Indicates the status of this artifact. Possible values:
Complete: Copy of this artifact contains the full complement of information.
StreamingSource: The copy of this artifact is sending data to member nodes for replication.
StreamingTarget: The copy of this artifact is receiving replicated data.
NonStreamingTarget: This copy of a warm artifact replication is in progress. Once replication is complete, the status changes to Complete.
StreamingError: the copy of this artifact encountered errors while streaming data.
PendingTruncate: The captain asked the member to truncate this copy of the artifact to a certain size and is waiting for confirmation.
PendingDiscard: The captain asked the member to discard this copy of the artifact (for whatever reason, and is waiting for confirmation.
Standalone: A artifact in the searchhead cluster that is not replicated.

[ Top ]

shcluster/member/consensus


https://<host>:<mPort>/services/shcluster/member/consensus

Authentication: Not required

Description

Get latest cluster configuration from the raft consensus protocol.

Method summary
Method Description Formats
GET Get latest cluster configuration from the raft consensus protocol. XML, JSON

GET shcluster/member/consensus method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys

For each member:

configuration_id Unique id for this configuration.
servers_list Comma-separated list of members that are part of the cluster. Each member is listed as scheme://host:port

[ Top ]

shcluster/member/info


https://<host>:<mPort>/services/shcluster/member/info

Authentication: Not required

Description

Access searchhead cluster member node information.

Method summary
Method Description Formats
GET List member information. XML, JSON

GET shcluster/member/info method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys

For each member:

adhoc_searchhead Flag that indicates if this member can run scheduled searches.
is_registered Indicates if this member is registered with the searchhead cluster captain.
last_heartbeat_attempt Timestamp for the last attempt to contact the captain.
maintenance_mode N/A
peer_load_stats_gla_15m Number of scheduled searches run in the last 15 minutes.
peer_load_stats_gla_1m Number of scheduled searches run in the last one minute.
peer_load_stats_gla_5m Number of scheduled searches run in the last five minutes.
peer_load_stats_max_runtime N/A
peer_load_stats_num_autosummary N/A
peer_load_stats_num_historical N/A
peer_load_stats_num_realtime N/A
peer_load_stats_num_running N/A
peer_load_stats_total_runtime N/A
restart_state Indicates whether the member needs to be restarted to enable its searchhead cluster configuration.
status Indicates the status of the member. Possible values:
Up
Down
Pending
Detention
Restarting
DecommAvaitingPeer
DecommFixingBuckets
Decommissioned

[ Top ]

Cluster endpoint examples

cluster/config GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/config
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>clusterconfig</title>
 <id>https://localhost:8089/services/cluster/config</id>
 <updated>2012-09-05T10:19:49-07:00</updated>
 <generator build="136169" version="5.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/config/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>config</title>
   <id>https://localhost:8089/services/cluster/config/config</id>
   <updated>2012-09-05T10:19:49-07:00</updated>
   <link href="/services/cluster/config/config" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/config/config" rel="list"/>
   <link href="/services/cluster/config/config/_reload" rel="_reload"/>
   <link href="/services/cluster/config/config" rel="edit"/>
   <link href="/services/cluster/config/config/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="cxn_timeout">60</s:key>
       <s:key name="disabled">0</s:key>
       ... eai:acl node elided ...
       <s:key name="forwarderdata_rcv_port">0</s:key>
       <s:key name="forwarderdata_use_ssl">1</s:key>
       <s:key name="heartbeat_period">1</s:key>
       <s:key name="heartbeat_timeout">60</s:key>
       <s:key name="master_uri"></s:key>
       <s:key name="max_peer_build_load">5</s:key>
       <s:key name="max_peer_rep_load">5</s:key>
       <s:key name="mode">master</s:key>
       <s:key name="ping_flag">1</s:key>
       <s:key name="quiet_period">60</s:key>
       <s:key name="rcv_timeout">60</s:key>
       <s:key name="register_forwarder_address"></s:key>
       <s:key name="register_replication_address"></s:key>
       <s:key name="register_search_address"></s:key>
       <s:key name="rep_cxn_timeout">5</s:key>
       <s:key name="rep_max_rcv_timeout">600</s:key>
       <s:key name="rep_max_send_timeout">600</s:key>
       <s:key name="rep_rcv_timeout">10</s:key>
       <s:key name="rep_send_timeout">5</s:key>
       <s:key name="replication_factor">2</s:key>
       <s:key name="replication_port"></s:key>
       <s:key name="replication_use_ssl">0</s:key>
       <s:key name="restart_timeout">600</s:key>
       <s:key name="search_factor">2</s:key>
       <s:key name="secret">********</s:key>
       <s:key name="send_timeout">60</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


cluster/master/buckets GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/master/buckets
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>clustermasterbuckets</title>
 <id>https://localhost:8089/services/cluster/master/buckets</id>
 <updated>2014-04-17T19:13:57+00:00</updated>
 <generator build="204899" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/master/buckets/_new" rel="create"/>
 <opensearch:totalResults>24</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>_audit~0~238C3311-F0A4-4A9B-97F0-53667CFFEEAB</title>
   <id>https://localhost:8089/services/cluster/master/buckets/_audit~0~238C3311-F0A4-4A9B-97F0-53667CFFEEAB</id>
   <updated>2014-04-17T19:13:57+00:00</updated>
   <link href="/services/cluster/master/buckets/_audit~0~238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/master/buckets/_audit~0~238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="list"/>
   <link href="/services/cluster/master/buckets/_audit~0~238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="bucket_size">47187</s:key>
       <s:key name="constrain_to_origin_site">1</s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="force_roll">0</s:key>
       <s:key name="frozen">0</s:key>
       <s:key name="index">_audit</s:key>
       <s:key name="origin_site">site2</s:key>
       <s:key name="peers">
         <s:dict>
           <s:key name="238C3311-F0A4-4A9B-97F0-53667CFFEEAB">
             <s:dict>
               <s:key name="bucket_flags">0x6</s:key>
               <s:key name="checksum"></s:key>
               <s:key name="checksum_state">StableCksum</s:key>
               <s:key name="search_state">Searchable</s:key>
               <s:key name="status">Complete</s:key>
             </s:dict>
           </s:key>
           <s:key name="C878FADC-513D-4BDD-BA48-F25BB82FE565">
             <s:dict>
               <s:key name="bucket_flags">0x0</s:key>
               <s:key name="checksum"></s:key>
               <s:key name="checksum_state">StableCksum</s:key>
               <s:key name="search_state">Searchable</s:key>
               <s:key name="status">Complete</s:key>
             </s:dict>
           </s:key>
           <s:key name="E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C">
             <s:dict>
               <s:key name="bucket_flags">0x0</s:key>
               <s:key name="checksum"></s:key>
               <s:key name="checksum_state">StableCksum</s:key>
               <s:key name="search_state">Unsearchable</s:key>
               <s:key name="status">Complete</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="primaries_by_site">
         <s:dict>
           <s:key name="site1">238C3311-F0A4-4A9B-97F0-53667CFFEEAB</s:key>
           <s:key name="site2">238C3311-F0A4-4A9B-97F0-53667CFFEEAB</s:key>
         </s:dict>
       </s:key>
       <s:key name="rep_count_by_site">
         <s:dict>
           <s:key name="site2">3</s:key>
         </s:dict>
       </s:key>
       <s:key name="search_count_by_site">
         <s:dict>
           <s:key name="site2">2</s:key>
         </s:dict>
       </s:key>
       <s:key name="service_after_time">0</s:key>
       <s:key name="standalone">0</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
     .
     .
     .
   elided
     .
     .
     .
 <entry>
   <title>_internal~1~E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C</title>
   <id>https://localhost:8089/services/cluster/master/buckets/_internal~1~E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C</id>
   <updated>2014-04-17T19:13:57+00:00</updated>
   <link href="/services/cluster/master/buckets/_internal~1~E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/master/buckets/_internal~1~E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C" rel="list"/>
   <link href="/services/cluster/master/buckets/_internal~1~E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="bucket_size"></s:key>
       <s:key name="constrain_to_origin_site">0</s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="force_roll">0</s:key>
       <s:key name="frozen">0</s:key>
       <s:key name="index">_internal</s:key>
       <s:key name="origin_site">site2</s:key>
       <s:key name="peers">
         <s:dict>
           <s:key name="61666763-43E9-411B-9464-D80A5119EF0E">
             <s:dict>
               <s:key name="bucket_flags">0x2</s:key>
               <s:key name="checksum"></s:key>
               <s:key name="checksum_state">StableCksum</s:key>
               <s:key name="search_state">Searchable</s:key>
               <s:key name="status">StreamingTarget</s:key>
             </s:dict>
           </s:key>
           <s:key name="C878FADC-513D-4BDD-BA48-F25BB82FE565">
             <s:dict>
               <s:key name="bucket_flags">0x0</s:key>
               <s:key name="checksum"></s:key>
               <s:key name="checksum_state">StableCksum</s:key>
               <s:key name="search_state">Unsearchable</s:key>
               <s:key name="status">StreamingTarget</s:key>
             </s:dict>
           </s:key>
           <s:key name="E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C">
             <s:dict>
               <s:key name="bucket_flags">0x4</s:key>
               <s:key name="checksum"></s:key>
               <s:key name="checksum_state">StableCksum</s:key>
               <s:key name="search_state">Searchable</s:key>
               <s:key name="status">StreamingSource</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="primaries_by_site">
         <s:dict>
           <s:key name="site1">61666763-43E9-411B-9464-D80A5119EF0E</s:key>
           <s:key name="site2">E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C</s:key>
         </s:dict>
       </s:key>
       <s:key name="rep_count_by_site">
         <s:dict>
           <s:key name="site1">1</s:key>
           <s:key name="site2">2</s:key>
         </s:dict>
       </s:key>
       <s:key name="search_count_by_site">
         <s:dict>
           <s:key name="site1">1</s:key>
           <s:key name="site2">1</s:key>
         </s:dict>
       </s:key>
       <s:key name="service_after_time">0</s:key>
       <s:key name="standalone">0</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


cluster/master/buckets/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/master/buckets/internal~1~238C3311-F0A4-4A9B-97F0-53667CFFEEAB
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>clustermasterbuckets</title>
 <id>https://localhost:8089/services/cluster/master/buckets</id>
 <updated>2014-04-17T19:16:03+00:00</updated>
 <generator build="204899" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/master/buckets/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>_internal~1~238C3311-F0A4-4A9B-97F0-53667CFFEEAB</title>
   <id>https://localhost:8089/services/cluster/master/buckets/_internal~1~238C3311-F0A4-4A9B-97F0-53667CFFEEAB</id>
   <updated>2014-04-17T19:16:03+00:00</updated>
   <link href="/services/cluster/master/buckets/_internal~1~238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/master/buckets/_internal~1~238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="list"/>
   <link href="/services/cluster/master/buckets/_internal~1~238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="bucket_size"></s:key>
       <s:key name="constrain_to_origin_site">0</s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="eai:attributes">
         ... elided ...
       </s:key>
       <s:key name="force_roll">0</s:key>
       <s:key name="frozen">0</s:key>
       <s:key name="index">_internal</s:key>
       <s:key name="origin_site">site2</s:key>
       <s:key name="peers">
         <s:dict>
           <s:key name="238C3311-F0A4-4A9B-97F0-53667CFFEEAB">
             <s:dict>
               <s:key name="bucket_flags">0x4</s:key>
               <s:key name="checksum"></s:key>
               <s:key name="checksum_state">StableCksum</s:key>
               <s:key name="search_state">Searchable</s:key>
               <s:key name="status">StreamingSource</s:key>
             </s:dict>
           </s:key>
           <s:key name="29F9560E-A44A-425C-8753-1C6158B46C84">
             <s:dict>
               <s:key name="bucket_flags">0x2</s:key>
               <s:key name="checksum"></s:key>
               <s:key name="checksum_state">StableCksum</s:key>
               <s:key name="search_state">Searchable</s:key>
               <s:key name="status">StreamingTarget</s:key>
             </s:dict>
           </s:key>
           <s:key name="C878FADC-513D-4BDD-BA48-F25BB82FE565">
             <s:dict>
               <s:key name="bucket_flags">0x0</s:key>
               <s:key name="checksum"></s:key>
               <s:key name="checksum_state">StableCksum</s:key>
               <s:key name="search_state">Unsearchable</s:key>
               <s:key name="status">StreamingTarget</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="primaries_by_site">
         <s:dict>
           <s:key name="site1">29F9560E-A44A-425C-8753-1C6158B46C84</s:key>
           <s:key name="site2">238C3311-F0A4-4A9B-97F0-53667CFFEEAB</s:key>
         </s:dict>
       </s:key>
       <s:key name="rep_count_by_site">
         <s:dict>
           <s:key name="site1">1</s:key>
           <s:key name="site2">2</s:key>
         </s:dict>
       </s:key>
       <s:key name="search_count_by_site">
         <s:dict>
           <s:key name="site1">1</s:key>
           <s:key name="site2">1</s:key>
         </s:dict>
       </s:key>
       <s:key name="service_after_time">0</s:key>
       <s:key name="standalone">0</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


cluster/master/control/control/rebalance_primaries POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/master/control/control/rebalance_primaries --request POST
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>clustermastercontrol</title>
 <id>https://localhost:8089/services/cluster/master/control</id>
 <updated>2013-08-21T13:08:52-07:00</updated>
 <generator build="176231" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>0</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>

</feed>


cluster/master/control/control/remove_peers POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/master/control/control/remove_peers --request POST  -d "peers=F2AA19BD-622F-4F8C-A8E0-1233"
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>clustermastercontrol</title>
 <id>https://localhost:8089/services/cluster/master/control</id>
 <updated>2014-09-10T13:12:54-07:00</updated>
 <generator build="230688" version="6.2"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>

</feed>


cluster/master/generation GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/master/generation
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>clustermastergeneration</title>
 <id>https://localhost:8089/services/cluster/master/generation</id>
 <updated>2012-09-05T10:39:54-07:00</updated>
 <generator build="136169" version="5.0"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>master</title>
   <id>https://localhost:8089/services/cluster/master/generation/master</id>
   <updated>2012-09-05T10:39:54-07:00</updated>
   <link href="/services/cluster/master/generation/master" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/master/generation/master" rel="list"/>
   <content type="text/xml">
     <s:dict>
       ... eai:acl node elided ...
       <s:key name="generation_id">2</s:key>
       <s:key name="generation_peers">
         <s:dict>
           <s:key name="2AF11DD4-1424-4A14-A522-FB9D055E9516">
             <s:dict>
               <s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8389</s:key>
               <s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
             </s:dict>
           </s:key>
           <s:key name="50FCDB42-E167-458D-A6A9-E4587E8F16D9">
             <s:dict>
               <s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8189</s:key>
               <s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="pending_generation_id">3</s:key>
       <s:key name="pending_last_attempt">0</s:key>
       <s:key name="pending_last_reason"></s:key>
     </s:dict>
   </content>
 </entry>

</feed>


cluster/master/generation POST

XML
XML Request

curl -k -u admin:pass https://myserver:8089/services/cluster/master/generation -d name=foo
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>clustermastergeneration</title>
 <id>https://myserver:8089/services/cluster/master/generation</id>
 <updated>2013-10-31T13:58:51-07:00</updated>
 <generator build="184661" version="20131030"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/master/generation/_new" rel="create"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>master</title>
   <id>https://myserver:8089/services/cluster/master/generation/master</id>
   <updated>2013-10-31T13:58:51-07:00</updated>
   <link href="/services/cluster/master/generation/master" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/master/generation/master" rel="list"/>
   <link href="/services/cluster/master/generation/master" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       ... eai:acl node elided ...
       <s:key name="generation_id">5</s:key>
       <s:key name="generation_peers">
         <s:dict>
           <s:key name="11111111-1111-1111-1111-111111111111">
             <s:dict>
               <s:key name="host_port_pair">myserver.splunk.com:6431</s:key>
               <s:key name="peer">PEER1</s:key>
             </s:dict>
           </s:key>
           <s:key name="22222222-2222-2222-2222-222222222222">
             <s:dict>
               <s:key name="host_port_pair">myserver.splunk.com:6432</s:key>
               <s:key name="peer">PEER2</s:key>
             </s:dict>
           </s:key>
           <s:key name="33333333-3333-3333-3333-333333333333">
             <s:dict>
               <s:key name="host_port_pair">myserver.splunk.com:6433</s:key>
               <s:key name="peer">PEER3</s:key>
             </s:dict>
           </s:key>
           <s:key name="44444444-4444-4444-4444-444444444444">
             <s:dict>
               <s:key name="host_port_pair">myserver.splunk.com:6434</s:key>
               <s:key name="peer">PEER4</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="pending_generation_id">6</s:key>
       <s:key name="pending_last_attempt">0</s:key>
       <s:key name="pending_last_reason"></s:key>
       <s:key name="replication_factor_met">1</s:key>
       <s:key name="search_factor_met">1</s:key>
       <s:key name="was_forced">0</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


cluster/master/generation/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/master/generation/master
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>clustermastergeneration</title>
 <id>https://localhost:8089/services/cluster/master/generation</id>
 <updated>2012-09-05T10:45:27-07:00</updated>
 <generator build="136169" version="5.0"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>master</title>
   <id>https://localhost:8089/services/cluster/master/generation/master</id>
   <updated>2012-09-05T10:45:27-07:00</updated>
   <link href="/services/cluster/master/generation/master" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/master/generation/master" rel="list"/>
   <content type="text/xml">
     <s:dict>
       ... eai:acl node elided ...
       ... eai:attributes node elided ...
       <s:key name="generation_id">2</s:key>
       <s:key name="generation_peers">
         <s:dict>
           <s:key name="2AF11DD4-1424-4A14-A522-FB9D055E9516">
             <s:dict>
               <s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8389</s:key>
               <s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
             </s:dict>
           </s:key>
           <s:key name="50FCDB42-E167-458D-A6A9-E4587E8F16D9">
             <s:dict>
               <s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8189</s:key>
               <s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="pending_generation_id">3</s:key>
       <s:key name="pending_last_attempt">0</s:key>
       <s:key name="pending_last_reason"></s:key>
     </s:dict>
   </content>
 </entry>

</feed>


cluster/master/generation/{name} POST

XML
XML Request

curl -k -u admin:pass https://myserver:8089/services/cluster/master/generation/foo -X POST -d generation_poll_interval=62 -d label=PEER2
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>clustermastergeneration</title>
 <id>https://myserver:8089/services/cluster/master/generation</id>
 <updated>2013-10-31T14:37:20-07:00</updated>
 <generator build="184661" version="20131030"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/master/generation/_new" rel="create"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>master</title>
   <id>https://myserver:8089/services/cluster/master/generation/master</id>
   <updated>2013-10-31T14:37:20-07:00</updated>
   <link href="/services/cluster/master/generation/master" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/master/generation/master" rel="list"/>
   <link href="/services/cluster/master/generation/master" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       ... eai:acl node elided ...
       <s:key name="generation_id">5</s:key>
       <s:key name="generation_peers">
         <s:dict>
           <s:key name="11111111-1111-1111-1111-111111111111">
             <s:dict>
               <s:key name="host_port_pair">myserver.splunk.com:6431</s:key>
               <s:key name="peer">PEER1</s:key>
             </s:dict>
           </s:key>
           <s:key name="22222222-2222-2222-2222-222222222222">
             <s:dict>
               <s:key name="host_port_pair">myserver.splunk.com:6432</s:key>
               <s:key name="peer">PEER2</s:key>
             </s:dict>
           </s:key>
           <s:key name="33333333-3333-3333-3333-333333333333">
             <s:dict>
               <s:key name="host_port_pair">myserver.splunk.com:6433</s:key>
               <s:key name="peer">PEER3</s:key>
             </s:dict>
           </s:key>
           <s:key name="44444444-4444-4444-4444-444444444444">
             <s:dict>
               <s:key name="host_port_pair">myserver.splunk.com:6434</s:key>
               <s:key name="peer">PEER4</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="pending_generation_id">6</s:key>
       <s:key name="pending_last_attempt">0</s:key>
       <s:key name="pending_last_reason"></s:key>
       <s:key name="replication_factor_met">1</s:key>
       <s:key name="search_factor_met">1</s:key>
       <s:key name="was_forced">0</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


cluster/master/indexes GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/master/indexes
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>clustermasterpeerindexes</title>
 <id>https://localhost:8089/services/cluster/master/indexes</id>
 <updated>2014-04-17T19:11:14+00:00</updated>
 <generator build="204899" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>2</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>_audit</title>
   <id>https://localhost:8089/services/cluster/master/indexes/_audit</id>
   <updated>2014-04-17T19:11:14+00:00</updated>
   <link href="/services/cluster/master/indexes/_audit" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/master/indexes/_audit" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="buckets_with_excess_copies">0</s:key>
       <s:key name="buckets_with_excess_searchable_copies">0</s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="index_size">284975</s:key>
       <s:key name="is_searchable">1</s:key>
       <s:key name="non_site_aware_buckets_in_site_aware_cluster">6</s:key>
       <s:key name="num_buckets">12</s:key>
       <s:key name="replicated_copies_tracker">
         <s:dict>
           <s:key name="0">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
           <s:key name="1">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
           <s:key name="2">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="searchable_copies_tracker">
         <s:dict>
           <s:key name="0">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
           <s:key name="1">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="sort_order">4294967295</s:key>
       <s:key name="total_excess_bucket_copies">0</s:key>
       <s:key name="total_excess_searchable_copies">0</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>_internal</title>
   <id>https://localhost:8089/services/cluster/master/indexes/_internal</id>
   <updated>2014-04-17T19:11:14+00:00</updated>
   <link href="/services/cluster/master/indexes/_internal" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/master/indexes/_internal" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="buckets_with_excess_copies">0</s:key>
       <s:key name="buckets_with_excess_searchable_copies">0</s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="index_size">1190869</s:key>
       <s:key name="is_searchable">1</s:key>
       <s:key name="non_site_aware_buckets_in_site_aware_cluster">6</s:key>
       <s:key name="num_buckets">12</s:key>
       <s:key name="replicated_copies_tracker">
         <s:dict>
           <s:key name="0">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
           <s:key name="1">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
           <s:key name="2">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="searchable_copies_tracker">
         <s:dict>
           <s:key name="0">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
           <s:key name="1">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="sort_order">4294967295</s:key>
       <s:key name="total_excess_bucket_copies">0</s:key>
       <s:key name="total_excess_searchable_copies">0</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


cluster/master/indexes/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/master/indexes/_audit
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>clustermasterpeerindexes</title>
 <id>https://localhost:8089/services/cluster/master/indexes</id>
 <updated>2014-04-17T19:11:14+00:00</updated>
 <generator build="204899" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>2</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>_audit</title>
   <id>https://localhost:8089/services/cluster/master/indexes/_audit</id>
   <updated>2014-04-17T19:11:14+00:00</updated>
   <link href="/services/cluster/master/indexes/_audit" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/master/indexes/_audit" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="buckets_with_excess_copies">0</s:key>
       <s:key name="buckets_with_excess_searchable_copies">0</s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="index_size">284975</s:key>
       <s:key name="is_searchable">1</s:key>
       <s:key name="non_site_aware_buckets_in_site_aware_cluster">6</s:key>
       <s:key name="num_buckets">12</s:key>
       <s:key name="replicated_copies_tracker">
         <s:dict>
           <s:key name="0">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
           <s:key name="1">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
           <s:key name="2">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="searchable_copies_tracker">
         <s:dict>
           <s:key name="0">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
           <s:key name="1">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="sort_order">4294967295</s:key>
       <s:key name="total_excess_bucket_copies">0</s:key>
       <s:key name="total_excess_searchable_copies">0</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


cluster/master/info GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/master/info
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>clustermasterinfo</title>
 <id>http://greentea.sv.splunk.com:8089/services/cluster/master/info</id>
 <updated>2013-07-23T10:36:35-07:00</updated>
 <generator build="172635" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>master</title>
   <id>http://greentea.sv.splunk.com:8089/services/cluster/master/info/master</id>
   <updated>2013-07-23T10:36:35-07:00</updated>
   <link href="/services/cluster/master/info/master" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/master/info/master" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="active_bundle">
         <s:dict>
           <s:key name="bundle_path">/home/eserv/schoi/apple_master/splunk/var/run/splunk/cluster/remote-bundle/66e383cafa8ff1f033e2341e35fc2e09-1374594357.bundle</s:key>
           <s:key name="checksum">a98f211c7bc6b141bd4fe5775c7cd193</s:key>
           <s:key name="timestamp">1374594357</s:key>
         </s:dict>
       </s:key>
       <s:key name="bundle_creation_time_on_master">1374594357</s:key>
       <s:key name="bundle_validation_errors_on_master">
         <s:list/>
       </s:key>
       <s:key name="bundle_validation_in_progress">0</s:key>
       <s:key name="bundle_validation_on_master_succeeded">1</s:key>
       <s:key name="data_safety_buckets_to_fix">
         <s:dict>
           <s:key name="_internal~1~05BB0AAC-61A5-491B-9153-3B02E6DA6130">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">resolved initial state</s:key>
                   <s:key name="timestamp">1374594631</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason"></s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="_internal~1~76AFDA4D-DAA7-48A8-A738-DD669A0853CD">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">resolved initial state</s:key>
                   <s:key name="timestamp">1374594631</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason"></s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
               .
               .
               .
             elided
               .
               .
               .
           <s:key name="i5~659~8CEAE4B4-BAB0-415E-9DA6-0438ECD8B3EF">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">streaming success</s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason">streaming success</s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       ... eai:acl node elided ...
       <s:key name="gen_commit_buckets_to_fix">
         <s:dict>
           <s:key name="_internal~1~05BB0AAC-61A5-491B-9153-3B02E6DA6130">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">resolved initial state</s:key>
                   <s:key name="timestamp">1374594631</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason"></s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="_internal~1~76AFDA4D-DAA7-48A8-A738-DD669A0853CD">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">resolved initial state</s:key>
                   <s:key name="timestamp">1374594631</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason"></s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
               .
               .
               .
             elided
               .
               .
               .
           <s:key name="i5~659~8CEAE4B4-BAB0-415E-9DA6-0438ECD8B3EF">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">streaming success</s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason">streaming success</s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="indexing_ready_flag">1</s:key>
       <s:key name="initialized_flag">1</s:key>
       <s:key name="label">master_nc</s:key>
       <s:key name="latest_bundle">
         <s:dict>
           <s:key name="bundle_path">/home/eserv/schoi/apple_master/splunk/var/run/splunk/cluster/remote-bundle/66e383cafa8ff1f033e2341e35fc2e09-1374594357.bundle</s:key>
           <s:key name="checksum">a98f211c7bc6b141bd4fe5775c7cd193</s:key>
           <s:key name="timestamp">1374594357</s:key>
         </s:dict>
       </s:key>
       <s:key name="maintenance_mode">0</s:key>
       <s:key name="reload_bundle_issued">0</s:key>
       <s:key name="rep_count_buckets_to_fix">
         <s:dict>
           <s:key name="_internal~1~05BB0AAC-61A5-491B-9153-3B02E6DA6130">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">resolved initial state</s:key>
                   <s:key name="timestamp">1374594631</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason"></s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="_internal~1~76AFDA4D-DAA7-48A8-A738-DD669A0853CD">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">resolved initial state</s:key>
                   <s:key name="timestamp">1374594631</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason"></s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
               .
               .
               .
             elided
               .
               .
               .
           <s:key name="i5~659~8CEAE4B4-BAB0-415E-9DA6-0438ECD8B3EF">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">streaming success</s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason">streaming success</s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="rolling_restart_flag">0</s:key>
       <s:key name="search_count_buckets_to_fix">
         <s:dict>
           <s:key name="_internal~1~05BB0AAC-61A5-491B-9153-3B02E6DA6130">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">resolved initial state</s:key>
                   <s:key name="timestamp">1374594631</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason"></s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="_internal~1~76AFDA4D-DAA7-48A8-A738-DD669A0853CD">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">resolved initial state</s:key>
                   <s:key name="timestamp">1374594631</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason"></s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
               .
               .
               .
             elided
               .
               .
               .
           <s:key name="i5~659~8CEAE4B4-BAB0-415E-9DA6-0438ECD8B3EF">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">streaming success</s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason">streaming success</s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="service_ready_flag">1</s:key>
       <s:key name="start_time">1374594571</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


cluster/master/peers GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/master/peers
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>clustermasterpeers</title>
 <id>https://localhost:8089/services/cluster/master/peers</id>
 <updated>2014-04-17T19:17:08+00:00</updated>
 <generator build="204899" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/master/peers/_new" rel="create"/>
 <opensearch:totalResults>6</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>238C3311-F0A4-4A9B-97F0-53667CFFEEAB</title>
   <id>https://localhost:8089/services/cluster/master/peers/238C3311-F0A4-4A9B-97F0-53667CFFEEAB</id>
   <updated>2014-04-17T19:17:08+00:00</updated>
   <link href="/services/cluster/master/peers/238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/master/peers/238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="list"/>
   <link href="/services/cluster/master/peers/238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="active_bundle_id">4708B74780A1E5101449548B1E103616</s:key>
       <s:key name="apply_bundle_status">
         <s:dict>
           <s:key name="invalid_bundle">
             <s:dict>
               <s:key name="bundle_validation_errors">
                 <s:list/>
               </s:key>
               <s:key name="invalid_bundle_id"></s:key>
             </s:dict>
           </s:key>
           <s:key name="reload_error"></s:key>
           <s:key name="restart_required_for_apply_bundle">0</s:key>
         </s:dict>
       </s:key>
       <s:key name="base_generation_id">6</s:key>
       <s:key name="bucket_count">10</s:key>
       <s:key name="bucket_count_by_index">
         <s:dict>
           <s:key name="_audit">5</s:key>
           <s:key name="_internal">5</s:key>
         </s:dict>
       </s:key>
       <s:key name="delayed_buckets_to_discard">
         <s:list/>
       </s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="fixup_set">
         <s:list/>
       </s:key>
       <s:key name="heartbeat_started">1</s:key>
       <s:key name="host_port_pair">127.0.1.1:8096</s:key>
       <s:key name="is_searchable">1</s:key>
       <s:key name="label">s2p3</s:key>
       <s:key name="last_heartbeat">1397762228</s:key>
       <s:key name="latest_bundle_id">4708B74780A1E5101449548B1E103616</s:key>
       <s:key name="pending_job_count">0</s:key>
       <s:key name="primary_count">5</s:key>
       <s:key name="primary_count_remote">2</s:key>
       <s:key name="replication_count">0</s:key>
       <s:key name="replication_port">9905</s:key>
       <s:key name="replication_use_ssl">0</s:key>
       <s:key name="search_state_counter">
         <s:dict>
           <s:key name="Searchable">5</s:key>
           <s:key name="SearchablePendingMask">0</s:key>
           <s:key name="Unsearchable">5</s:key>
         </s:dict>
       </s:key>
       <s:key name="site">site2</s:key>
       <s:key name="status">Up</s:key>
       <s:key name="status_counter">
         <s:dict>
           <s:key name="Complete">6</s:key>
           <s:key name="NonStreamingTarget">0</s:key>
           <s:key name="StreamingSource">2</s:key>
           <s:key name="StreamingTarget">2</s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>
     .
     .
     .
   elided
     .
     .
     .
 <entry>
   <title>E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C</title>
   <id>https://localhost:8089/services/cluster/master/peers/E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C</id>
   <updated>2014-04-17T19:17:08+00:00</updated>
   <link href="/services/cluster/master/peers/E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/master/peers/E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C" rel="list"/>
   <link href="/services/cluster/master/peers/E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="active_bundle_id">4708B74780A1E5101449548B1E103616</s:key>
       <s:key name="apply_bundle_status">
         <s:dict>
           <s:key name="invalid_bundle">
             <s:dict>
               <s:key name="bundle_validation_errors">
                 <s:list/>
               </s:key>
               <s:key name="invalid_bundle_id"></s:key>
             </s:dict>
           </s:key>
           <s:key name="reload_error"></s:key>
           <s:key name="restart_required_for_apply_bundle">0</s:key>
         </s:dict>
       </s:key>
       <s:key name="base_generation_id">4</s:key>
       <s:key name="bucket_count">13</s:key>
       <s:key name="bucket_count_by_index">
         <s:dict>
           <s:key name="_audit">6</s:key>
           <s:key name="_internal">7</s:key>
         </s:dict>
       </s:key>
       <s:key name="delayed_buckets_to_discard">
         <s:list/>
       </s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="fixup_set">
         <s:list/>
       </s:key>
       <s:key name="heartbeat_started">1</s:key>
       <s:key name="host_port_pair">127.0.1.1:8094</s:key>
       <s:key name="is_searchable">1</s:key>
       <s:key name="label">s2p1</s:key>
       <s:key name="last_heartbeat">1397762227</s:key>
       <s:key name="latest_bundle_id">4708B74780A1E5101449548B1E103616</s:key>
       <s:key name="pending_job_count">0</s:key>
       <s:key name="primary_count">7</s:key>
       <s:key name="primary_count_remote">2</s:key>
       <s:key name="replication_count">0</s:key>
       <s:key name="replication_port">9903</s:key>
       <s:key name="replication_use_ssl">0</s:key>
       <s:key name="search_state_counter">
         <s:dict>
           <s:key name="PendingSearchable">0</s:key>
           <s:key name="Searchable">10</s:key>
           <s:key name="SearchablePendingMask">0</s:key>
           <s:key name="Unsearchable">3</s:key>
         </s:dict>
       </s:key>
       <s:key name="site">site2</s:key>
       <s:key name="status">Up</s:key>
       <s:key name="status_counter">
         <s:dict>
           <s:key name="Complete">6</s:key>
           <s:key name="NonStreamingTarget">0</s:key>
           <s:key name="StreamingSource">2</s:key>
           <s:key name="StreamingTarget">5</s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>

</feed>


cluster/master/peers/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/master/peers/29F9560E-A44A-425C-8753-1C6158B46C84
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>clustermasterpeers</title>
 <id>https://localhost:8089/services/cluster/master/peers</id>
 <updated>2014-04-17T19:18:19+00:00</updated>
 <generator build="204899" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/master/peers/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>29F9560E-A44A-425C-8753-1C6158B46C84</title>
   <id>https://localhost:8089/services/cluster/master/peers/29F9560E-A44A-425C-8753-1C6158B46C84</id>
   <updated>2014-04-17T19:18:19+00:00</updated>
   <link href="/services/cluster/master/peers/29F9560E-A44A-425C-8753-1C6158B46C84" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/master/peers/29F9560E-A44A-425C-8753-1C6158B46C84" rel="list"/>
   <link href="/services/cluster/master/peers/29F9560E-A44A-425C-8753-1C6158B46C84" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="active_bundle_id">4708B74780A1E5101449548B1E103616</s:key>
       <s:key name="apply_bundle_status">
         <s:dict>
           <s:key name="invalid_bundle">
             <s:dict>
               <s:key name="bundle_validation_errors">
                 <s:list/>
               </s:key>
               <s:key name="invalid_bundle_id"></s:key>
             </s:dict>
           </s:key>
           <s:key name="reload_error"></s:key>
           <s:key name="restart_required_for_apply_bundle">0</s:key>
         </s:dict>
       </s:key>
       <s:key name="base_generation_id">3</s:key>
       <s:key name="bucket_count">11</s:key>
       <s:key name="bucket_count_by_index">
         <s:dict>
           <s:key name="_audit">6</s:key>
           <s:key name="_internal">5</s:key>
         </s:dict>
       </s:key>
       <s:key name="delayed_buckets_to_discard">
         <s:list/>
       </s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="eai:attributes">
         ... elided ...
       </s:key>
       <s:key name="fixup_set">
         <s:list/>
       </s:key>
       <s:key name="heartbeat_started">1</s:key>
       <s:key name="host_port_pair">127.0.1.1:8092</s:key>
       <s:key name="is_searchable">1</s:key>
       <s:key name="label">s1p3</s:key>
       <s:key name="last_heartbeat">1397762298</s:key>
       <s:key name="latest_bundle_id">4708B74780A1E5101449548B1E103616</s:key>
       <s:key name="pending_job_count">0</s:key>
       <s:key name="primary_count">6</s:key>
       <s:key name="primary_count_remote">2</s:key>
       <s:key name="replication_count">0</s:key>
       <s:key name="replication_port">9902</s:key>
       <s:key name="replication_use_ssl">0</s:key>
       <s:key name="search_state_counter">
         <s:dict>
           <s:key name="PendingSearchable">0</s:key>
           <s:key name="Searchable">8</s:key>
           <s:key name="SearchablePendingMask">0</s:key>
           <s:key name="Unsearchable">3</s:key>
         </s:dict>
       </s:key>
       <s:key name="site">site1</s:key>
       <s:key name="status">Up</s:key>
       <s:key name="status_counter">
         <s:dict>
           <s:key name="Complete">6</s:key>
           <s:key name="NonStreamingTarget">0</s:key>
           <s:key name="StreamingSource">2</s:key>
           <s:key name="StreamingTarget">3</s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>

</feed>


cluster/master/sites GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/master/sites
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>clustermastersites</title>
 <id>https://localhost:8089/services/cluster/master/sites</id>
 <updated>2014-04-17T19:12:15+00:00</updated>
 <generator build="204899" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>2</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>site1</title>
   <id>https://localhost:8089/services/cluster/master/sites/site1</id>
   <updated>2014-04-17T19:12:15+00:00</updated>
   <link href="/services/cluster/master/sites/site1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/master/sites/site1" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="peers">
         <s:dict>
           <s:key name="29F9560E-A44A-425C-8753-1C6158B46C84">
             <s:dict>
               <s:key name="host_port_pair">127.0.1.1:8092</s:key>
               <s:key name="server_name">s1p3</s:key>
             </s:dict>
           </s:key>
           <s:key name="61666763-43E9-411B-9464-D80A5119EF0E">
             <s:dict>
               <s:key name="host_port_pair">127.0.1.1:8091</s:key>
               <s:key name="server_name">s1p2</s:key>
             </s:dict>
           </s:key>
           <s:key name="76C88808-2727-42B4-8C05-72DC44630FE4">
             <s:dict>
               <s:key name="host_port_pair">127.0.1.1:8090</s:key>
               <s:key name="server_name">s1p1</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>site2</title>
   <id>https://localhost:8089/services/cluster/master/sites/site2</id>
   <updated>2014-04-17T19:12:15+00:00</updated>
   <link href="/services/cluster/master/sites/site2" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/master/sites/site2" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="peers">
         <s:dict>
           <s:key name="238C3311-F0A4-4A9B-97F0-53667CFFEEAB">
             <s:dict>
               <s:key name="host_port_pair">127.0.1.1:8096</s:key>
               <s:key name="server_name">s2p3</s:key>
             </s:dict>
           </s:key>
           <s:key name="C878FADC-513D-4BDD-BA48-F25BB82FE565">
             <s:dict>
               <s:key name="host_port_pair">127.0.1.1:8095</s:key>
               <s:key name="server_name">s2p2</s:key>
             </s:dict>
           </s:key>
           <s:key name="E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C">
             <s:dict>
               <s:key name="host_port_pair">127.0.1.1:8094</s:key>
               <s:key name="server_name">s2p1</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>

</feed>


cluster/master/sites/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/master/sites/site1
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>clustermastersites</title>
 <id>https://localhost:8089/services/cluster/master/sites</id>
 <updated>2014-04-17T19:13:07+00:00</updated>
 <generator build="204899" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>site1</title>
   <id>https://localhost:8089/services/cluster/master/sites/site1</id>
   <updated>2014-04-17T19:13:07+00:00</updated>
   <link href="/services/cluster/master/sites/site1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/master/sites/site1" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="eai:attributes">
         ... elided ...
       </s:key>
       <s:key name="peers">
         <s:dict>
           <s:key name="29F9560E-A44A-425C-8753-1C6158B46C84">
             <s:dict>
               <s:key name="host_port_pair">127.0.1.1:8092</s:key>
               <s:key name="server_name">s1p3</s:key>
             </s:dict>
           </s:key>
           <s:key name="61666763-43E9-411B-9464-D80A5119EF0E">
             <s:dict>
               <s:key name="host_port_pair">127.0.1.1:8091</s:key>
               <s:key name="server_name">s1p2</s:key>
             </s:dict>
           </s:key>
           <s:key name="76C88808-2727-42B4-8C05-72DC44630FE4">
             <s:dict>
               <s:key name="host_port_pair">127.0.1.1:8090</s:key>
               <s:key name="server_name">s1p1</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>

</feed>


cluster/searchhead/generation GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/searchhead/generation
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>clustersearchheadgeneration</title>
 <id>https://localhost:8089/services/cluster/searchhead/generation</id>
 <updated>2012-09-05T11:13:45-07:00</updated>
 <generator build="136169" version="5.0"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>master</title>
   <id>https://localhost:8089/services/cluster/searchhead/generation/master</id>
   <updated>2012-09-05T11:13:45-07:00</updated>
   <link href="/services/cluster/searchhead/generation/master" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/searchhead/generation/master" rel="list"/>
   <content type="text/xml">
     <s:dict>
       ... eai:acl node elided ...
       <s:key name="generation_id">2</s:key>
       <s:key name="generation_peers">
         <s:dict>
           <s:key name="2AF11DD4-1424-4A14-A522-FB9D055E9516">
             <s:dict>
               <s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8389</s:key>
               <s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
             </s:dict>
           </s:key>
           <s:key name="50FCDB42-E167-458D-A6A9-E4587E8F16D9">
             <s:dict>
               <s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8189</s:key>
               <s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>

</feed>


cluster/searchhead/generation/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/searchhead/generation/https%3A%252F%252Fmyserver-mbp15.sv.splunk.com%3A8989
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>clustersearchheadgeneration</title>
 <id>https://localhost:53791/services/cluster/searchhead/generation</id>
 <updated>2012-09-07T14:11:59-07:00</updated>
 <generator build="136859" version="20120906"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>https://ronnie.splunk.com:53112</title>
   <id>https://localhost:53791/services/cluster/searchhead/generation/https%3A%252F%252Fronnie.splunk.com%3A53112</id>
   <updated>2012-09-07T14:11:59-07:00</updated>
   <link href="/services/cluster/searchhead/generation/https%3A%252F%252Fronnie.splunk.com%3A53112" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/searchhead/generation/https%3A%252F%252Fronnie.splunk.com%3A53112" rel="list"/>
   <content type="text/xml">
     <s:dict>
       ... eai:acl node elided ...
       ... eai:attributes node elided ...
       <s:key name="generation_id">3</s:key>
       <s:key name="generation_peers">
         <s:dict>
           <s:key name="33333333-3333-3333-3333-333333333333">
             <s:dict>
               <s:key name="host_port_pair">10.1.42.3:53309</s:key>
               <s:key name="peer">peer3</s:key>
             </s:dict>
           </s:key>
           <s:key name="44444444-4444-4444-4444-444444444444">
             <s:dict>
               <s:key name="host_port_pair">10.1.42.3:53411</s:key>
               <s:key name="peer">peer4</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>

</feed>


cluster/searchhead/searchheadconfig GET

XML
XML Request

curl -k -u   admin:pass https://localhost:8089/services/cluster/searchhead/searchheadconfig
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>clustersearchheadconfig</title>
 <id>https://localhost:8089/services/cluster/searchhead/searchheadconfig</id>
 <updated>2013-10-31T14:04:45-07:00</updated>
 <generator build="184661" version="20131030"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/searchhead/searchheadconfig/_new" rel="create"/>
 <link href="/services/cluster/searchhead/searchheadconfig/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>https://localhost:4567</title>
   <id>https://myserver:7588/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567</id>
   <updated>2013-10-31T14:04:45-07:00</updated>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="list"/>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567/_reload" rel="_reload"/>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="edit"/>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       ... eai:acl node elided ...
       <s:key name="master_uri">https://localhost:4567</s:key>
       <s:key name="secret">********</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


cluster/searchhead/searchheadconfig POST

XML
XML Request

curl -k -u admin:pass https://myserver:8089/services/cluster/searchhead/searchheadconfig -d name=https://myserver:4567 -d secret=testsecret
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>clustersearchheadconfig</title>
 <id>https://localhost:8089/services/cluster/searchhead/searchheadconfig</id>
 <updated>2013-10-31T14:04:45-07:00</updated>
 <generator build="184661" version="20131030"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/searchhead/searchheadconfig/_new" rel="create"/>
 <link href="/services/cluster/searchhead/searchheadconfig/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>https://localhost:4567</title>
   <id>https://myserver:8089/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567</id>
   <updated>2013-10-31T14:04:45-07:00</updated>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="list"/>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567/_reload" rel="_reload"/>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="edit"/>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       ... eai:acl node elided ...
       <s:key name="master_uri">https://localhost:4567</s:key>
       <s:key name="secret">********</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


cluster/searchhead/searchheadconfig/{name} DELETE

XML
XML Request

curl -k -u admin:changeme  --request DELETE https://myserver.splunk.com:8089/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Fmyserver%3A8211
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>clustersearchheadconfig</title>
 <id>https://myserver.splunk.com:8089/services/cluster/searchhead/searchheadconfig</id>
 <updated>2013-11-05T14:34:42-08:00</updated>
 <generator build="184986" version="20131101"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/searchhead/searchheadconfig/_new" rel="create"/>
 <link href="/services/cluster/searchhead/searchheadconfig/_reload" rel="_reload"/>
 <opensearch:totalResults>0</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>

</feed>


cluster/searchhead/searchheadconfig/{name} GET

XML
XML Request

curl -k -u admin:pass https://myserver.splunk.com:7588/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>clustersearchheadconfig</title>
 <id>https://myserver.splunk.com:8089/services/cluster/searchhead/searchheadconfig</id>
 <updated>2013-11-05T14:43:00-08:00</updated>
 <generator build="184986" version="20131101"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/searchhead/searchheadconfig/_new" rel="create"/>
 <link href="/services/cluster/searchhead/searchheadconfig/_reload" rel="_reload"/>
 ... openserch nodes elided ...
 <s:messages/>
 <entry>
   <title>https://localhost:4567</title>
   <id>https://myserver.splunk.com:7588/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567</id>
   <updated>2013-11-05T14:43:00-08:00</updated>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="list"/>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567/_reload" rel="_reload"/>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="edit"/>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list>
               <s:item>master_uri</s:item>
               <s:item>secret</s:item>
             </s:list>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="master_uri">https://localhost:4567</s:key>
       <s:key name="secret">********</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


cluster/slave/buckets GET

XML
XML Request

curl -k -u admin:pass https://localhost:8189/services/cluster/slave/buckets
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>clusterslavebuckets</title>
 <id>https://localhost:8189/services/cluster/slave/buckets</id>
 <updated>2012-09-05T12:29:42-07:00</updated>
 <generator build="136169" version="5.0"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516</title>
   <id>https://localhost:8189/services/cluster/slave/buckets/_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516</id>
   <updated>2012-09-05T12:29:42-07:00</updated>
   <link href="/services/cluster/slave/buckets/_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/slave/buckets/_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="checksum"></s:key>
       ... eai:acl node elided ...
       <s:key name="earliest_time">1346859162</s:key>
       <s:key name="generations">
         <s:dict>
           <s:key name="0">0x0</s:key>
         </s:dict>
       </s:key>
       <s:key name="latest_time">1346859257</s:key>
       <s:key name="search_state">Searchable</s:key>
       <s:key name="status">Complete</s:key>
     </s:dict>
   </content>
 </entry>
 . . . elided ...

</feed>


cluster/slave/buckets/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://myserver:8089/services/cluster/slave/buckets/_internal~58~11111111-1111-1111-1111-111111111111 -d bucket_id="_internal~58~11111111-1111-1111-1111-111111111111"
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>clusterslavebuckets</title>
 <id>https://myserver:8089/services/cluster/slave/buckets</id>
 <updated>2013-10-31T14:48:18-07:00</updated>
 <generator build="184661" version="20131030"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>0</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>

</feed>


cluster/slave/buckets/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8189/services/cluster/slave/buckets/_audit~0~B8B5E5C6-DB26-4952-AFB1-C5EFEFFFEA31
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>clusterslavebuckets</title>
 <id>https://localhost:8189/services/cluster/slave/buckets</id>
 <updated>2012-09-05T12:40:43-07:00</updated>
 <generator build="136169" version="5.0"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9</title>
   <id>https://localhost:8189/services/cluster/slave/buckets/_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9</id>
   <updated>2012-09-05T12:40:43-07:00</updated>
   <link href="/services/cluster/slave/buckets/_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/slave/buckets/_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="checksum"></s:key>
       ... eai:acl node elided ...
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="earliest_time">0</s:key>
       <s:key name="generations">
         <s:dict>
           <s:key name="0">0xffffffffffffffff</s:key>
         </s:dict>
       </s:key>
       <s:key name="latest_time">0</s:key>
       <s:key name="search_state">Searchable</s:key>
       <s:key name="status">StreamingSource</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


cluster/slave/info GET

XML
XML Request

curl -k -u admin:pass https://localhost:8189/services/cluster/slave/info
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>clusterslaveinfo</title>
 <id>https://localhost:8189/services/cluster/slave/info</id>
 <updated>2012-09-05T12:45:59-07:00</updated>
 <generator build="136169" version="5.0"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>slave</title>
   <id>https://localhost:8189/services/cluster/slave/info/slave</id>
   <updated>2012-09-05T12:45:59-07:00</updated>
   <link href="/services/cluster/slave/info/slave" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/slave/info/slave" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="active_bundle">
         <s:dict>
           <s:key name="bundle_path">/Applications/splunk-peer/var/run/splunk/cluster/remote-bundle/0f6078895127ab1f715ee78a6e1ff8a1-1346858928.bundle</s:key>
           <s:key name="checksum">36a883f4d47af66f78531ef474349b59</s:key>
           <s:key name="timestamp">1346858928</s:key>
         </s:dict>
       </s:key>
       <s:key name="base_generation_id">2</s:key>
       ... eai:acl node elided ...
       <s:key name="invalid_bundle_ids">
         <s:list/>
       </s:key>
       <s:key name="is_registered">1</s:key>
       <s:key name="last_heartbeat_attempt">1346874358</s:key>
       <s:key name="latest_bundle">
         <s:dict>
           <s:key name="bundle_path">/Applications/splunk-peer/var/run/splunk/cluster/remote-bundle/0f6078895127ab1f715ee78a6e1ff8a1-1346858928.bundle</s:key>
           <s:key name="checksum">36a883f4d47af66f78531ef474349b59</s:key>
           <s:key name="timestamp">1346858928</s:key>
         </s:dict>
       </s:key>
       <s:key name="restart_state">NoRestart</s:key>
       <s:key name="status">Up</s:key>
     </s:dict>
   </content>
 </entry>

</feed>

shcluster/captain/artifacts GET

XML
XML Request

curl -k -u admin:pass https://localhost:8189/services/shcluster/captain/artifacts
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>shclustercaptainartifacts</title>
  <id>https://localhost:8089/services/shcluster/captain/artifacts</id>
  <updated>2014-10-15T08:44:41-07:00</updated>
  <generator build="235980" version="20141014"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/shcluster/captain/artifacts/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888</title>
    <id>https://localhost:8089/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888</id>
    <updated>2014-10-15T08:44:41-07:00</updated>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888" rel="list"/>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="artifact_size">282624</s:key>
        ... eai:acl node elided ...
        <s:key name="origin_guid">88888888-8888-8888-8888-888888888888</s:key>
        <s:key name="peers">
          <s:dict>
            <s:key name="88888888-8888-8888-8888-888888888888">
              <s:dict>
                <s:key name="directory_path">/home/svasan/splunk/searchhead/var/run/splunk/dispatch/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888</s:key>
                <s:key name="status">Complete</s:key>
              </s:dict>
            </s:key>
            <s:key name="99999999-9999-9999-9999-999999999999">
              <s:dict>
                <s:key name="directory_path">/home/svasan/splunk/dash/var/run/splunk/dispatch/rsa_scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888</s:key>
                <s:key name="status">Complete</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="service_after_time">0</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888</title>
    <id>https://localhost:8089/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888</id>
    <updated>2014-10-15T08:44:41-07:00</updated>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888" rel="list"/>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="artifact_size">282624</s:key>
        ... eai:acl node elided ...
        <s:key name="origin_guid">88888888-8888-8888-8888-888888888888</s:key>
        <s:key name="peers">
          <s:dict>
            <s:key name="88888888-8888-8888-8888-888888888888">
              <s:dict>
                <s:key name="directory_path">/home/svasan/splunk/searchhead/var/run/splunk/dispatch/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888</s:key>
                <s:key name="status">Complete</s:key>
              </s:dict>
            </s:key>
            <s:key name="99999999-9999-9999-9999-999999999999">
              <s:dict>
                <s:key name="directory_path">/home/svasan/splunk/dash/var/run/splunk/dispatch/rsa_scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888</s:key>
                <s:key name="status">Complete</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="service_after_time">0</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888</title>
    <id>https://localhost:8089/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888</id>
    <updated>2014-10-15T08:44:41-07:00</updated>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888" rel="list"/>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="artifact_size">253952</s:key>
        ... eai:acl node elided ...
        <s:key name="origin_guid">88888888-8888-8888-8888-888888888888</s:key>
        <s:key name="peers">
          <s:dict>
            <s:key name="88888888-8888-8888-8888-888888888888">
              <s:dict>
                <s:key name="directory_path">/home/svasan/splunk/searchhead/var/run/splunk/dispatch/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888</s:key>
                <s:key name="status">Complete</s:key>
              </s:dict>
            </s:key>
            <s:key name="99999999-9999-9999-9999-999999999999">
              <s:dict>
                <s:key name="directory_path">/home/svasan/splunk/dash/var/run/splunk/dispatch/rsa_scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888</s:key>
                <s:key name="status">Complete</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="service_after_time">0</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888</title>
    <id>https://localhost:8089/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888</id>
    <updated>2014-10-15T08:44:41-07:00</updated>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888" rel="list"/>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="artifact_size">253952</s:key>
        ... eai:acl node elided ...
        <s:key name="origin_guid">88888888-8888-8888-8888-888888888888</s:key>
        <s:key name="peers">
          <s:dict>
            <s:key name="88888888-8888-8888-8888-888888888888">
              <s:dict>
                <s:key name="directory_path">/home/svasan/splunk/searchhead/var/run/splunk/dispatch/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888</s:key>
                <s:key name="status">Complete</s:key>
              </s:dict>
            </s:key>
            <s:key name="99999999-9999-9999-9999-999999999999">
              <s:dict>
                <s:key name="directory_path">/home/svasan/splunk/dash/var/run/splunk/dispatch/rsa_scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888</s:key>
                <s:key name="status">Complete</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="service_after_time">0</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

shcluster/captain/artifacts/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8189/services/shcluster/captain/artifacts/{name}
XML Response

shcluster/captain/info GET

XML
XML Request

curl -k -u admin:pass https://localhost:8189/services/shcluster/captain/info
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>shclustercaptaininfo</title>
  <id>https://localhost:8089/services/shcluster/captain/info</id>
  <updated>2014-10-15T08:45:25-07:00</updated>
  <generator build="235980" version="20141014"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>captain</title>
    <id>https://localhost:8089/services/shcluster/captain/info/captain</id>
    <updated>2014-10-15T08:45:25-07:00</updated>
    <link href="/services/shcluster/captain/info/captain" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/info/captain" rel="list"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="elected_captain">1413307273</s:key>
        <s:key name="id">BB3116C0-73B9-459A-B473-254A18A69776</s:key>
        <s:key name="initialized_flag">1</s:key>
        <s:key name="label">searchhead</s:key>
        <s:key name="maintenance_mode">0</s:key>
        <s:key name="min_peers_joined_flag">1</s:key>
        <s:key name="peer_scheme_host_port">https://localhost:55569</s:key>
        <s:key name="rolling_restart_flag">0</s:key>
        <s:key name="service_ready_flag">1</s:key>
        <s:key name="start_time">1413307203</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

shcluster/captain/jobs GET

XML
XML Request

curl -k -u admin:pass https://localhost:8189/services/shcluster/captain/jobs
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>shclustercaptainjobs</title>
  <id>https://localhost:8089/services/shcluster/captain/jobs</id>
  <updated>2014-10-15T08:47:50-07:00</updated>
  <generator build="235980" version="20141014"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/shcluster/captain/jobs/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>savedsearch_Alert - syslog errors last hour_1087026166</title>
    <id>https://localhost:8089/services/shcluster/captain/jobs/savedsearch_Alert%20-%20syslog%20errors%20last%20hour_1087026166</id>
    <updated>2014-10-15T08:47:50-07:00</updated>
    <link href="/services/shcluster/captain/jobs/savedsearch_Alert%20-%20syslog%20errors%20last%20hour_1087026166" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/jobs/savedsearch_Alert%20-%20syslog%20errors%20last%20hour_1087026166" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="ATTEMPT_1">
          <s:dict>
            <s:key name="dispatch_time">1413363600</s:key>
            <s:key name="errormsg">error response peer=https://wimpy.splunk.com:55560 rc=404 reason='<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Application does not exist: SA-nix</msg>
  </messages>
</response>
'</s:key>
            <s:key name="peer">99999999-9999-9999-9999-999999999999</s:key>
            <s:key name="sid">NO_SID_RECEIVED_YET</s:key>
            <s:key name="success">0</s:key>
          </s:dict>
        </s:key>
        <s:key name="ATTEMPT_2">
          <s:dict>
            <s:key name="dispatch_time">1413363600</s:key>
            <s:key name="peer">88888888-8888-8888-8888-888888888888</s:key>
            <s:key name="sid">scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413363600_203_88888888-8888-8888-8888-888888888888</s:key>
            <s:key name="success">1</s:key>
          </s:dict>
        </s:key>
        ... eai:acl node elided ...
        <s:key name="job_state">COMPLETED</s:key>
        <s:key name="saved_search">Alert - syslog errors last hour</s:key>
        <s:key name="savedsearchtype">savedsearch</s:key>
        <s:key name="search_app">SA-nix</s:key>
        <s:key name="search_owner">admin</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>savedsearch_Alert - syslog errors last hour_11648853</title>
    <id>https://localhost:8089/services/shcluster/captain/jobs/savedsearch_Alert%20-%20syslog%20errors%20last%20hour_11648853</id>
    <updated>2014-10-15T08:47:50-07:00</updated>
    <link href="/services/shcluster/captain/jobs/savedsearch_Alert%20-%20syslog%20errors%20last%20hour_11648853" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/jobs/savedsearch_Alert%20-%20syslog%20errors%20last%20hour_11648853" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="ATTEMPT_1">
          <s:dict>
            <s:key name="dispatch_time">1413316800</s:key>
            <s:key name="errormsg">error response peer=https://wimpy.splunk.com:55560 rc=404 reason='<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Application does not exist: SA-nix</msg>
  </messages>
</response>
'</s:key>
            <s:key name="peer">99999999-9999-9999-9999-999999999999</s:key>
            <s:key name="sid">NO_SID_RECEIVED_YET</s:key>
            <s:key name="success">0</s:key>
          </s:dict>
        </s:key>
        <s:key name="ATTEMPT_2">
          <s:dict>
            <s:key name="dispatch_time">1413316800</s:key>
            <s:key name="peer">88888888-8888-8888-8888-888888888888</s:key>
            <s:key name="sid">scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413316800_34_88888888-8888-8888-8888-888888888888</s:key>
            <s:key name="success">1</s:key>
          </s:dict>
        </s:key>
        ... eai:acl node elided ...
        <s:key name="job_state">COMPLETED</s:key>
        <s:key name="saved_search">Alert - syslog errors last hour</s:key>
        <s:key name="savedsearchtype">savedsearch</s:key>
        <s:key name="search_app">SA-nix</s:key>
        <s:key name="search_owner">admin</s:key>
      </s:dict>
    </content>
  </entry>
      .
      .
      .
<entry>
    <title>savedsearch_fired_alerts_1050236433</title>
    <id>https://localhost:8089/services/shcluster/captain/jobs/savedsearch_fired_alerts_1050236433</id>
    <updated>2014-10-15T08:47:50-07:00</updated>
    <link href="/services/shcluster/captain/jobs/savedsearch_fired_alerts_1050236433" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/jobs/savedsearch_fired_alerts_1050236433" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="ATTEMPT_1">
          <s:dict>
            <s:key name="dispatch_time">1413308100</s:key>
            <s:key name="errormsg">error response peer=https://wimpy.splunk.com:55560 rc=404 reason='<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Application does not exist: SA-nix</msg>
  </messages>
</response>
'</s:key>
            <s:key name="peer">99999999-9999-9999-9999-999999999999</s:key>
            <s:key name="sid">NO_SID_RECEIVED_YET</s:key>
            <s:key name="success">0</s:key>
          </s:dict>
        </s:key>
        <s:key name="ATTEMPT_2">
          <s:dict>
            <s:key name="dispatch_time">1413308100</s:key>
            <s:key name="peer">88888888-8888-8888-8888-888888888888</s:key>
            <s:key name="sid">scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413308100_2_88888888-8888-8888-8888-888888888888</s:key>
            <s:key name="success">1</s:key>
          </s:dict>
        </s:key>
        ... eai:acl node elided ...
        <s:key name="job_state">COMPLETED</s:key>
        <s:key name="saved_search">fired_alerts</s:key>
        <s:key name="savedsearchtype">savedsearch</s:key>
        <s:key name="search_app">SA-nix</s:key>
        <s:key name="search_owner">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

shcluster/captain/jobs/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8189/services/shcluster/captain/jobs/{name}
XML Response

shcluster/captain/members GET

XML
XML Request

curl -k -u admin:pass https://localhost:8189/services/shcluster/captain/members
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>shclustercaptainmembers</title>
  <id>https://localhost:8089/services/shcluster/captain/members</id>
  <updated>2014-10-15T08:49:34-07:00</updated>
  <generator build="235980" version="20141014"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/shcluster/captain/members/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>88888888-8888-8888-8888-888888888888</title>
    <id>https://localhost:8089/services/shcluster/captain/members/88888888-8888-8888-8888-888888888888</id>
    <updated>2014-10-15T08:49:34-07:00</updated>
    <link href="/services/shcluster/captain/members/88888888-8888-8888-8888-888888888888" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/members/88888888-8888-8888-8888-888888888888" rel="list"/>
    <link href="/services/shcluster/captain/members/88888888-8888-8888-8888-888888888888" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="adhoc_searchhead">0</s:key>
        <s:key name="advertise_restart_required">0</s:key>
        <s:key name="artifact_count">4</s:key>
        <s:key name="delayed_artifacts_to_discard">
          <s:list/>
        </s:key>
        ... eai:acl node elided ...
        <s:key name="fixup_set">
          <s:list/>
        </s:key>
        <s:key name="host_port_pair">localhost:8089</s:key>
        <s:key name="kv_store_host_port">?</s:key>
        <s:key name="label">searchhead</s:key>
        <s:key name="last_heartbeat">1413388171</s:key>
        <s:key name="peer_scheme_host_port">https://localhost:8089</s:key>
        <s:key name="pending_job_count">0</s:key>
        <s:key name="replication_count">0</s:key>
        <s:key name="replication_port">3456</s:key>
        <s:key name="replication_use_ssl">0</s:key>
        <s:key name="site">site2</s:key>
        <s:key name="status">Up</s:key>
        <s:key name="status_counter">
          <s:dict>
            <s:key name="Complete">4</s:key>
            <s:key name="PendingDiscard">0</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>99999999-9999-9999-9999-999999999999</title>
    <id>https://localhost:8089/services/shcluster/captain/members/99999999-9999-9999-9999-999999999999</id>
    <updated>2014-10-15T08:49:34-07:00</updated>
    <link href="/services/shcluster/captain/members/99999999-9999-9999-9999-999999999999" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/members/99999999-9999-9999-9999-999999999999" rel="list"/>
    <link href="/services/shcluster/captain/members/99999999-9999-9999-9999-999999999999" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="adhoc_searchhead">0</s:key>
        <s:key name="advertise_restart_required">0</s:key>
        <s:key name="artifact_count">4</s:key>
        <s:key name="delayed_artifacts_to_discard">
          <s:list/>
        </s:key>
        ... eai:acl node elided ...
        <s:key name="fixup_set">
          <s:list/>
        </s:key>
        <s:key name="host_port_pair">wimpy.splunk.com:55560</s:key>
        <s:key name="kv_store_host_port">?</s:key>
        <s:key name="label">master</s:key>
        <s:key name="last_heartbeat">1413388171</s:key>
        <s:key name="peer_scheme_host_port">https://wimpy.splunk.com:55560</s:key>
        <s:key name="pending_job_count">0</s:key>
        <s:key name="replication_count">0</s:key>
        <s:key name="replication_port">55570</s:key>
        <s:key name="replication_use_ssl">0</s:key>
        <s:key name="site">site1</s:key>
        <s:key name="status">Up</s:key>
        <s:key name="status_counter">
          <s:dict>
            <s:key name="Complete">4</s:key>
            <s:key name="NonStreamingTarget">0</s:key>
            <s:key name="PendingDiscard">0</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

shcluster/captain/members/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8189/services/shcluster/captain/members/{name}
XML Response

shcluster/config GET

XML
XML Request

curl -k -u admin:pass https://localhost:8189/services/shcluster/config
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>shclusterconfig</title>
  <id>https://localhost:8089/services/shcluster/config</id>
  <updated>2014-10-15T08:50:47-07:00</updated>
  <generator build="235980" version="20141014"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/shcluster/config/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>config</title>
    <id>https://localhost:8089/services/shcluster/config/config</id>
    <updated>2014-10-15T08:50:47-07:00</updated>
    <link href="/services/shcluster/config/config" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/config/config" rel="list"/>
    <link href="/services/shcluster/config/config/_reload" rel="_reload"/>
    <link href="/services/shcluster/config/config" rel="edit"/>
    <link href="/services/shcluster/config/config/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="cxn_timeout">60</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="heartbeat_period">5</s:key>
        <s:key name="heartbeat_timeout">60</s:key>
        <s:key name="id">BB3116C0-73B9-459A-B473-254A18A69776</s:key>
        <s:key name="max_peer_rep_load">5</s:key>
        <s:key name="mode">dynamic_captain</s:key>
        <s:key name="percent_peers_to_restart">10</s:key>
        <s:key name="ping_flag">1</s:key>
        <s:key name="quiet_period">60</s:key>
        <s:key name="rcv_timeout">60</s:key>
        <s:key name="register_replication_address"></s:key>
        <s:key name="rep_cxn_timeout">60</s:key>
        <s:key name="rep_max_rcv_timeout">600</s:key>
        <s:key name="rep_max_send_timeout">600</s:key>
        <s:key name="rep_rcv_timeout">60</s:key>
        <s:key name="rep_send_timeout">60</s:key>
        <s:key name="replication_factor">2</s:key>
        <s:key name="replication_port">3456</s:key>
        <s:key name="replication_use_ssl">0</s:key>
        <s:key name="restart_timeout">60</s:key>
        <s:key name="secret">********</s:key>
        <s:key name="send_timeout">60</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

shcluster/member/artifacts GET

XML
XML Request

curl -k -u admin:pass https://localhost:8189/services/shcluster/member/artifacts
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>shclustermemberartifacts</title>
  <id>https://localhost:8089/services/shcluster/member/artifacts</id>
  <updated>2014-10-15T08:51:46-07:00</updated>
  <generator build="235980" version="20141014"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888</title>
    <id>https://localhost:8089/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888</id>
    <updated>2014-10-15T08:51:46-07:00</updated>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888" rel="list"/>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="status">Complete</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888</title>
    <id>https://localhost:8089/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888</id>
    <updated>2014-10-15T08:51:46-07:00</updated>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888" rel="list"/>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="status">Complete</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387900_290_88888888-8888-8888-8888-888888888888</title>
    <id>https://localhost:8089/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387900_290_88888888-8888-8888-8888-888888888888</id>
    <updated>2014-10-15T08:51:46-07:00</updated>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387900_290_88888888-8888-8888-8888-888888888888" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387900_290_88888888-8888-8888-8888-888888888888" rel="list"/>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387900_290_88888888-8888-8888-8888-888888888888" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="status">Complete</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413388200_291_88888888-8888-8888-8888-888888888888</title>
    <id>https://localhost:8089/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413388200_291_88888888-8888-8888-8888-888888888888</id>
    <updated>2014-10-15T08:51:46-07:00</updated>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413388200_291_88888888-8888-8888-8888-888888888888" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413388200_291_88888888-8888-8888-8888-888888888888" rel="list"/>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413388200_291_88888888-8888-8888-8888-888888888888" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="status">Complete</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

shcluster/member/artifacts/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8189/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413518400_762_88888888-8888-8888-8888-888888888888
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>shclustermemberartifacts</title>
  <id>https://localhost:8089/services/shcluster/member/artifacts</id>
  <updated>2014-10-16T22:33:37-07:00</updated>
  <generator build="235980" version="20141014"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413518400_762_88888888-8888-8888-8888-888888888888</title>
    <id>https://wimpy.splunk.com:55569/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413518400_762_88888888-8888-8888-8888-888888888888</id>
    <updated>2014-10-16T22:33:37-07:00</updated>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413518400_762_88888888-8888-8888-8888-888888888888" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413518400_762_88888888-8888-8888-8888-888888888888" rel="list"/>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413518400_762_88888888-8888-8888-8888-888888888888" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        ... eai:attributes node elided ...
        <s:key name="status">Complete</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

shcluster/member/consensus GET

XML
XML Request

curl -k -u admin:pass https://localhost:8189/services/shcluster/member/consensus
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>shclustermemberconsensus</title>
  <id>https://localhost:8089/services/shcluster/member/consensus</id>
  <updated>2014-10-15T08:52:28-07:00</updated>
  <generator build="235980" version="20141014"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>shc_cluster_configuration</title>
    <id>https://localhost:8089/services/shcluster/member/consensus/shc_cluster_configuration</id>
    <updated>2014-10-15T08:52:28-07:00</updated>
    <link href="/services/shcluster/member/consensus/shc_cluster_configuration" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/member/consensus/shc_cluster_configuration" rel="list"/>
    <link href="/services/shcluster/member/consensus/shc_cluster_configuration" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="configuration_id">4</s:key>
        ... eai:acl node elided ...
        <s:key name="servers_list">https://localhost:55560,https://localhost:55569</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

shcluster/member/info GET

XML
XML Request

curl -k -u admin:pass https://localhost:8189/services/shcluster/member/info
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>shclustermemberinfo</title>
  <id>https://localhost:8089/services/shcluster/member/info</id>
  <updated>2014-10-15T08:53:07-07:00</updated>
  <generator build="235980" version="20141014"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>member</title>
    <id>https://localhost:8089/services/shcluster/member/info/member</id>
    <updated>2014-10-15T08:53:07-07:00</updated>
    <link href="/services/shcluster/member/info/member" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/member/info/member" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="adhoc_searchhead">0</s:key>
        ... eai:acl node elided ...
        <s:key name="is_registered">1</s:key>
        <s:key name="last_heartbeat_attempt">1413388386</s:key>
        <s:key name="maintenance_mode">0</s:key>
        <s:key name="peer_load_stats_gla_15m">3</s:key>
        <s:key name="peer_load_stats_gla_1m">0</s:key>
        <s:key name="peer_load_stats_gla_5m">1</s:key>
        <s:key name="peer_load_stats_max_runtime">0.000000</s:key>
        <s:key name="peer_load_stats_num_autosummary">0</s:key>
        <s:key name="peer_load_stats_num_historical">0</s:key>
        <s:key name="peer_load_stats_num_realtime">0</s:key>
        <s:key name="peer_load_stats_num_running">0</s:key>
        <s:key name="peer_load_stats_total_runtime">0.000000</s:key>
        <s:key name="restart_state">NoRestart</s:key>
        <s:key name="status">Up</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

Configuration endpoints

Configuration endpoint descriptions

Manage configuration files and settings.



configs/conf-{file}


https://<host>:<mPort>/services/configs/conf-{file}

Authentication: Not required

Description

Access a configuration, .conf, file.

See also
Method summary
Method Description Formats
GET List {file} configuration file stanzas. XML, JSON
POST Add stanza to {file} configuration file. XML, JSON

GET configs/conf-{file} method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys

None

Application usage

POST configs/conf-{file} method detail

Example

Request parameters
Name Type Default Description
name
required
String Stanza name in {file} configuration file.
<variable> String Arbritrary number of key/value pairs.
Response data keys

None

Application usage

[ Top ]



configs/conf-{file}/{stanza}


https://<host>:<mPort>/services/configs/conf-{file}/{stanza}

Authentication: Not required

Description

Manage configuration file stanzas.

See also


Method summary
Method Description Formats
DELETE Delete {stanza} in {file} configuration file. XML, JSON
GET Get {stanza} in {file} configuration file. XML, JSON
POST Update or add property to {stanza} in {file} configuration file. XML, JSON

DELETE configs/conf-{file}/{stanza} method detail

Example

Request parameters

None

Response data keys

None


GET configs/conf-{file}/{stanza} method detail

Example

Request parameters

None

Response data keys

None


POST configs/conf-{file}/{stanza} method detail

Example

Request parameters
Name Type Default Description
<variable> String Arbitrary number of key/value pairs to update.
Response data keys

None

[ Top ]



properties


https://<host>:<mPort>/services/properties

Authentication: Not required

Description

Manage configuration, .conf, files.

See also


Method summary
Method Description Formats
GET List all system and app configuration files. XML, JSON
POST Create a configuration file. XML, JSON

GET properties method detail

Example

Request parameters

None

Response data keys

None


POST properties method detail

Example

Request parameters
Name Type Default Description
__conf
required
String Name of the configuration file to create. (Note double underscore prefix.
Response data keys

None

Application usage

The namespace specified in the URL determines where the configuration file is created. For example, /services/properties creates the file in the $SPLUNK_BASE/etc/system/local directory and servicesNS/nobody/search creates the file in the $SPLUNK_BASE/etc/apps/search/local directory.

[ Top ]



properties/{file}


https://<host>:<mPort>/services/properties/{file}

Authentication: Not required

Description

Access stanzas in specified configuration file.

See also
Method summary
Method Description Formats
GET List stanzas in {file} configuration file. XML, JSON
POST Add stanza to {file} configuration file. XML, JSON

GET properties/{file} method detail

Example

Request parameters

None

Response data keys

None

The endpoint returns an <entry> for each stanza in addition to <default> stanzas.

Application usage

The URL namespace determines the scope of visible stanzas. The endpoint returns all stanzas of the specified configuration file, for all configuration files and stanzas visible in the namespace.


POST properties/{file} method detail

Example

Request parameters
Name Type Default Description
__stanza
required
String The key/value pair of the stanza to add. Note double underscore prefix.
Response data keys

None

[ Top ]



properties/{file}/{stanza}


https://<host>:<mPort>/services/properties/{file}/{stanza}

Authentication: Not required

Description

Access stanza key/value pair(s) of specified configuration file.

See also
Method summary
Method Description Formats
GET List {stanza} key/value pair(s) of {file} configuration file. XML, JSON
POST Add or update one or more key/value pair(s) in {stanza} of {file} configuration file. XML, JSON

GET properties/{file}/{stanza} method detail

Example

Request parameters

None

Response data keys

None

Each <entry> is a {stanza} key with a <content> value.

Application usage

The URL namespace determines the scope of visible stanzas. The endpoint returns all stanzas of the specified configuration file, for all configuration files and stanzas visible in the namespace.


POST properties/{file}/{stanza} method detail

Example

Request parameters
Name Type Default Description
<variable>
required
String One or more key/value pair(s).
Response data keys

None

A response <message> indicates the update success or failure status.

[ Top ]



properties/{file}/{stanza}/{key}


https://<host>:<mPort>/services/properties/{file}/{stanza}/{key}

Authentication: Not required

Description

Access stanza key value of specified configuration file.

See also
Method summary
Method Description Formats
GET Get plaintext {key} value in {stanza} of {file} configuration file. XML, JSON
POST Update plaintext {key} value in {stanza} of {file} configuration file. XML, JSON

GET properties/{file}/{stanza}/{key} method detail

Example

Request parameters

None

Response data keys
Name Description
<variable> Plaintext value.

POST properties/{file}/{stanza}/{key} method detail

Example

Request parameters
Name Type Default Description
<variable>
required
String Plaintext value.
Response data keys

None

[ Top ]

Configuration endpoint examples

configs/conf-{file} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/configs/conf-props
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>conf-props</title>
 <id>https://localhost:8089/services/configs/conf-props</id>
 <updated>2011-07-08T01:01:26-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/configs/conf-props/_new" rel="create"/>
 <link href="/services/configs/conf-props/_reload" rel="_reload"/>
 <!-- opensearch nodes elided for brevity. -->
 <s:messages/>
 <entry>
   <title>(?i)source::....zip(.\d+)?</title>
   <id>https://localhost:8089/servicesNS/nobody/system/configs/conf-props/%28%3Fi%29source%3A%3A....zip%28.%5Cd%2B%29%3F</id>
   <updated>2011-07-08T01:01:26-07:00</updated>
   <link href="/servicesNS/nobody/system/configs/conf-props/%28%3Fi%29source%3A%3A....zip%28.%5Cd%2B%29%3F" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/configs/conf-props/%28%3Fi%29source%3A%3A....zip%28.%5Cd%2B%29%3F" rel="list"/>
   <link href="/servicesNS/nobody/system/configs/conf-props/%28%3Fi%29source%3A%3A....zip%28.%5Cd%2B%29%3F/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/configs/conf-props/%28%3Fi%29source%3A%3A....zip%28.%5Cd%2B%29%3F" rel="edit"/>
   <link href="/servicesNS/nobody/system/configs/conf-props/%28%3Fi%29source%3A%3A....zip%28.%5Cd%2B%29%3F/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="ANNOTATE_PUNCT">1</s:key>
       <s:key name="BREAK_ONLY_BEFORE"/>
       <s:key name="BREAK_ONLY_BEFORE_DATE">1</s:key>
       <s:key name="CHARSET">UTF-8</s:key>
       <s:key name="DATETIME_CONFIG">/etc/datetime.xml</s:key>
       <s:key name="HEADER_MODE"/>
       <s:key name="LEARN_SOURCETYPE">1</s:key>
       <s:key name="LINE_BREAKER_LOOKBEHIND">100</s:key>
       <s:key name="MAX_DAYS_AGO">2000</s:key>
       <s:key name="MAX_DAYS_HENCE">2</s:key>
       <s:key name="MAX_DIFF_SECS_AGO">3600</s:key>
       <s:key name="MAX_DIFF_SECS_HENCE">604800</s:key>
       <s:key name="MAX_EVENTS">256</s:key>
       <s:key name="MAX_TIMESTAMP_LOOKAHEAD">128</s:key>
       <s:key name="MUST_BREAK_AFTER"/>
       <s:key name="MUST_NOT_BREAK_AFTER"/>
       <s:key name="MUST_NOT_BREAK_BEFORE"/>
       <s:key name="NO_BINARY_CHECK">1</s:key>
       <s:key name="SEGMENTATION">indexing</s:key>
       <s:key name="SEGMENTATION-all">full</s:key>
       <s:key name="SEGMENTATION-inner">inner</s:key>
       <s:key name="SEGMENTATION-outer">outer</s:key>
       <s:key name="SEGMENTATION-raw">none</s:key>
       <s:key name="SEGMENTATION-standard">standard</s:key>
       <s:key name="SHOULD_LINEMERGE">1</s:key>
       <s:key name="TRANSFORMS"/>
       <s:key name="TRUNCATE">10000</s:key>
       <s:key name="disabled">0</s:key>
       <!-- eai:acl nodes elided for brevity. -->
       <s:key name="eai:appName">search</s:key>
       <s:key name="eai:userName">admin</s:key>
       <s:key name="maxDist">100</s:key>
       <s:key name="sourcetype">preprocess-zip</s:key>
       <s:key name="unarchive_cmd">_auto</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


configs/conf-{file} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/configs/conf-props -d CHARSET=UTF-8
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>conf-props</title>
 <id>https://localhost:8089/servicesNS/nobody/search/configs/conf-props</id>
 <updated>2011-07-08T01:01:26-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/nobody/search/configs/conf-props/_new" rel="create"/>
 <link href="/servicesNS/nobody/search/configs/conf-props/_reload" rel="_reload"/>
 <!-- opensearch nodes elided for brevity. -->
 <s:messages/>
 <entry>
   <title>myweblogs</title>
   <id>https://localhost:8089/servicesNS/nobody/search/configs/conf-props/myweblogs</id>
   <updated>2011-07-08T01:01:26-07:00</updated>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs" rel="alternate"/>
   <author>
     <name>admin</name>
   </author>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs" rel="list"/>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs" rel="edit"/>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs" rel="remove"/>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs/move" rel="move"/>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="ANNOTATE_PUNCT">1</s:key>
       <s:key name="BREAK_ONLY_BEFORE"/>
       <s:key name="BREAK_ONLY_BEFORE_DATE">1</s:key>
       <s:key name="CHARSET">UTF-8</s:key>
       <s:key name="DATETIME_CONFIG">/etc/datetime.xml</s:key>
       <s:key name="HEADER_MODE"/>
       <s:key name="LEARN_SOURCETYPE">1</s:key>
       <s:key name="LINE_BREAKER_LOOKBEHIND">100</s:key>
       <s:key name="MAX_DAYS_AGO">2000</s:key>
       <s:key name="MAX_DAYS_HENCE">2</s:key>
       <s:key name="MAX_DIFF_SECS_AGO">3600</s:key>
       <s:key name="MAX_DIFF_SECS_HENCE">604800</s:key>
       <s:key name="MAX_EVENTS">256</s:key>
       <s:key name="MAX_TIMESTAMP_LOOKAHEAD">128</s:key>
       <s:key name="MUST_BREAK_AFTER"/>
       <s:key name="MUST_NOT_BREAK_AFTER"/>
       <s:key name="MUST_NOT_BREAK_BEFORE"/>
       <s:key name="SEGMENTATION">indexing</s:key>
       <s:key name="SEGMENTATION-all">full</s:key>
       <s:key name="SEGMENTATION-inner">inner</s:key>
       <s:key name="SEGMENTATION-outer">outer</s:key>
       <s:key name="SEGMENTATION-raw">none</s:key>
       <s:key name="SEGMENTATION-standard">standard</s:key>
       <s:key name="SHOULD_LINEMERGE">0</s:key>
       <s:key name="TRANSFORMS"/>
       <s:key name="TRUNCATE">10000</s:key>
       <s:key name="disabled">0</s:key>
       <!-- eai:acl nodes elided for brevity. -->
       <s:key name="eai:appName">search</s:key>
       <s:key name="eai:userName">admin</s:key>
       <s:key name="maxDist">100</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


configs/conf-{file}/{stanza} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/configs/conf-props/myweblogs
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>conf-props</title>
 <id>https://localhost:8089/servicesNS/nobody/search/configs/conf-props</id>
 <updated>2011-07-08T01:01:27-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/nobody/search/configs/conf-props/_new" rel="create"/>
 <link href="/servicesNS/nobody/search/configs/conf-props/_reload" rel="_reload"/>
 <!-- opensearch nodes elided for brevity. -->
 <s:messages/>

</feed>


configs/conf-{file}/{stanza} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>conf-eventtypes</title>
 <id>https://localhost:8089/servicesNS/nobody/search/configs/conf-eventtypes</id>
 <updated>2014-07-01T13:08:45-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/nobody/search/configs/conf-eventtypes/_new" rel="create"/>
 <link href="/servicesNS/nobody/search/configs/conf-eventtypes/_reload" rel="_reload"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>splunkd_message</title>
   <id>https://localhost:8089/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message</id>
   <updated>2014-07-01T13:08:45-07:00</updated>
   <link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message" rel="alternate"/>
   <author>
     <name>admin</name>
   </author>
   <link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message" rel="list"/>
   <link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message" rel="edit"/>
   <link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message" rel="remove"/>
   <link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message/move" rel="move"/>
   <link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="CHARSET">UTF-8</s:key>
       <s:key name="description"></s:key>
       <s:key name="disabled">0</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app">search</s:key>
           <s:key name="can_change_perms">1</s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_share_app">1</s:key>
           <s:key name="can_share_global">1</s:key>
           <s:key name="can_share_user">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">1</s:key>
           <s:key name="owner">admin</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>power</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">1</s:key>
           <s:key name="sharing">global</s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:appName">search</s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list>
               <s:item>.*</s:item>
             </s:list>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:userName">nobody</s:key>
       <s:key name="priority">1</s:key>
       <s:key name="search"></s:key>
       <s:key name="tags"></s:key>
     </s:dict>
   </content>
 </entry>

</feed>


configs/conf-{file}/{stanza} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/configs/conf-props/myweblogs -d SHOULD_LINEMERGE=true
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>conf-props</title>
 <id>https://localhost:8089/servicesNS/nobody/search/configs/conf-props</id>
 <updated>2011-07-08T01:01:26-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/nobody/search/configs/conf-props/_new" rel="create"/>
 <link href="/servicesNS/nobody/search/configs/conf-props/_reload" rel="_reload"/>
 <!-- opensearch nodes elided for brevity. -->
 <s:messages/>
 <entry>
   <title>myweblogs</title>
   <id>https://localhost:8089/servicesNS/nobody/search/configs/conf-props/myweblogs</id>
   <updated>2011-07-08T01:01:26-07:00</updated>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs" rel="alternate"/>
   <author>
     <name>admin</name>
   </author>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs" rel="list"/>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs" rel="edit"/>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs" rel="remove"/>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs/move" rel="move"/>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="ANNOTATE_PUNCT">1</s:key>
       <s:key name="BREAK_ONLY_BEFORE"/>
       <s:key name="BREAK_ONLY_BEFORE_DATE">1</s:key>
       <s:key name="CHARSET">UTF-8</s:key>
       <s:key name="DATETIME_CONFIG">/etc/datetime.xml</s:key>
       <s:key name="HEADER_MODE"/>
       <s:key name="LEARN_SOURCETYPE">1</s:key>
       <s:key name="LINE_BREAKER_LOOKBEHIND">100</s:key>
       <s:key name="MAX_DAYS_AGO">2000</s:key>
       <s:key name="MAX_DAYS_HENCE">2</s:key>
       <s:key name="MAX_DIFF_SECS_AGO">3600</s:key>
       <s:key name="MAX_DIFF_SECS_HENCE">604800</s:key>
       <s:key name="MAX_EVENTS">256</s:key>
       <s:key name="MAX_TIMESTAMP_LOOKAHEAD">128</s:key>
       <s:key name="MUST_BREAK_AFTER"/>
       <s:key name="MUST_NOT_BREAK_AFTER"/>
       <s:key name="MUST_NOT_BREAK_BEFORE"/>
       <s:key name="SEGMENTATION">indexing</s:key>
       <s:key name="SEGMENTATION-all">full</s:key>
       <s:key name="SEGMENTATION-inner">inner</s:key>
       <s:key name="SEGMENTATION-outer">outer</s:key>
       <s:key name="SEGMENTATION-raw">none</s:key>
       <s:key name="SEGMENTATION-standard">standard</s:key>
       <s:key name="SHOULD_LINEMERGE">1</s:key>
       <s:key name="TRANSFORMS"/>
       <s:key name="TRUNCATE">10000</s:key>
       <s:key name="disabled">0</s:key>
       <!-- eai:acl nodes elided for brevity. -->
       <s:key name="eai:appName">search</s:key>
       <s:key name="eai:userName">admin</s:key>
       <s:key name="maxDist">100</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


properties GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/properties
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot;>

<title>properties</title>
 <id>https://localhost:8089/services/properties</id>
 <updated>2014-07-01T13:17:36-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <entry>
   <title>alert_actions</title>
   <id>https://localhost:8089/services/properties/alert_actions</id>
   <updated>2014-07-01T13:17:36-07:00</updated>
   <link href="/services/properties/alert_actions" rel="alternate"/>
 </entry>
 <entry>
   <title>app</title>
   <id>https://localhost:8089/services/properties/app</id>
   <updated>2014-07-01T13:17:36-07:00</updated>
   <link href="/services/properties/app" rel="alternate"/>
 </entry>
 <entry>
   <title>audit</title>
   <id>https://localhost:8089/services/properties/audit</id>
   <updated>2014-07-01T13:17:36-07:00</updated>
   <link href="/services/properties/audit" rel="alternate"/>
 </entry>
       .
       .
       .
     elided
       .
       .
       .
 <entry>
   <title>viewstates</title>
   <id>https://localhost:8089/services/properties/viewstates</id>
   <updated>2014-07-01T13:17:36-07:00</updated>
   <link href="/services/properties/viewstates" rel="alternate"/>
 </entry>
 <entry>
   <title>web</title>
   <id>https://localhost:8089/services/properties/web</id>
   <updated>2014-07-01T13:17:36-07:00</updated>
   <link href="/services/properties/web" rel="alternate"/>
 </entry>
 <entry>
   <title>workflow_actions</title>
   <id>https://localhost:8089/services/properties/workflow_actions</id>
   <updated>2014-07-01T13:17:36-07:00</updated>
   <link href="/services/properties/workflow_actions" rel="alternate"/>
 </entry>

</feed>


properties POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/properties -d __conf=myAppConfigFile
XML Response

No response body.

Returns: HTTP status = 201 (created)


properties/{file} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/properties/eventtypes
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot;>

<title>eventtypes</title>
 <id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes</id>
 <updated>2014-07-17T10:24:53-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <entry>
   <title>default</title>
   <id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes/default</id>
   <updated>2014-07-17T10:24:53-07:00</updated>
   <link href="/servicesNS/nobody/search/properties/eventtypes/default" rel="alternate"/>
 </entry>
 <entry>
   <title>internal_search_terms</title>
   <id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes/internal_search_terms</id>
   <updated>2014-07-17T10:24:53-07:00</updated>
   <link href="/servicesNS/nobody/search/properties/eventtypes/internal_search_terms" rel="alternate"/>
 </entry>
 <entry>
   <title>proxylogs</title>
   <id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes/proxylogs</id>
   <updated>2014-07-17T10:24:53-07:00</updated>
   <link href="/servicesNS/nobody/search/properties/eventtypes/proxylogs" rel="alternate"/>
 </entry>
 <entry>
   <title>splunkd-access</title>
   <id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes/splunkd-access</id>
   <updated>2014-07-17T10:24:53-07:00</updated>
   <link href="/servicesNS/nobody/search/properties/eventtypes/splunkd-access" rel="alternate"/>
 </entry>
 <entry>
   <title>splunkd-log</title>
   <id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes/splunkd-log</id>
   <updated>2014-07-17T10:24:53-07:00</updated>
   <link href="/servicesNS/nobody/search/properties/eventtypes/splunkd-log" rel="alternate"/>
 </entry>
 <entry>
   <title>splunkd_message</title>
   <id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes/splunkd_message</id>
   <updated>2014-07-17T10:24:53-07:00</updated>
   <link href="/servicesNS/nobody/search/properties/eventtypes/splunkd_message" rel="alternate"/>
 </entry>

</feed>


properties/{file} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/properties/eventtypes -d __stanza=proxylogs
XML Response

No data returned in body.

Returns: HTTP status 201 (created)


properties/{file}/{stanza} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/properties/props/proxylogs
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>proxylogs</title>
 <id>https://localhost:8089/services/properties/props/proxylogs</id>
 <updated>2011-07-08T12:08:52-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <entry>
   <title>ANNOTATE_PUNCT</title>
   <id>https://localhost:8089/services/properties/props/proxylogs/ANNOTATE_PUNCT</id>
   <updated>2011-07-08T12:08:52-07:00</updated>
   <link href="/services/properties/props/proxylogs/ANNOTATE_PUNCT" rel="alternate"/>
   <content type="text">True</content>
 </entry>
 <entry>
   <title>BREAK_ONLY_BEFORE</title>
   <id>https://localhost:8089/services/properties/props/proxylogs/BREAK_ONLY_BEFORE</id>
   <updated>2011-07-08T12:08:52-07:00</updated>
   <link href="/services/properties/props/proxylogs/BREAK_ONLY_BEFORE" rel="alternate"/>
   <content type="text"/>
 </entry>
 <entry>
   <title>BREAK_ONLY_BEFORE_DATE</title>
   <id>https://localhost:8089/services/properties/props/proxylogs/BREAK_ONLY_BEFORE_DATE</id>
   <updated>2011-07-08T12:08:52-07:00</updated>
   <link href="/services/properties/props/proxylogs/BREAK_ONLY_BEFORE_DATE" rel="alternate"/>
   <content type="text">True</content>
 </entry>
       .
       .
       .
     elided
       .
       .
       .
 <entry>
   <title>TRANSFORMS</title>
   <id>https://localhost:8089/services/properties/props/proxylogs/TRANSFORMS</id>
   <updated>2011-07-08T12:08:52-07:00</updated>
   <link href="/services/properties/props/proxylogs/TRANSFORMS" rel="alternate"/>
   <content type="text"/>
 </entry>
 <entry>
   <title>TRUNCATE</title>
   <id>https://localhost:8089/services/properties/props/proxylogs/TRUNCATE</id>
   <updated>2011-07-08T12:08:52-07:00</updated>
   <link href="/services/properties/props/proxylogs/TRUNCATE" rel="alternate"/>
   <content type="text">10000</content>
 </entry>
 <entry>
   <title>maxDist</title>
   <id>https://localhost:8089/services/properties/props/proxylogs/maxDist</id>
   <updated>2011-07-08T12:08:52-07:00</updated>
   <link href="/services/properties/props/proxylogs/maxDist" rel="alternate"/>
   <content type="text">100</content>
 </entry>

</feed>


properties/{file}/{stanza} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/properties/props/proxylogs -d NO_BINARY_CHECK=true -d CHARSET=UTF-8
XML Response

<response>

<messages>
   <msg type="INFO">Successfully modified 2 key(s)</msg>
 </messages>

</response>


properties/{file}/{stanza}/{key} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/properties/props/proxylogs/SHOULD_LINEMERGE
XML Response

Returns: True


properties/{file}/{stanza}/{key} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/properties/props/proxylogs/SHOULD_LINEMERGE -d value=false
XML Response

<response>

<messages>
   <msg type="INFO">Successfully modified 1 key(s)</msg>
 </messages>

</response>

Deployment endpoints

Deployment endpoint descriptions

Manage deployment servers and clients.

A deployment server configures a deployment client. Deployment clients and servers can reside on separate, distributed Splunk Enterprise instances or can both reside on the same instance.

deployment/client


https://<host>:<mPort>/services/deployment/client

Authentication: Not required

Description

List deployment client configuration and status.

Method summary
Method Description Formats
GET Get deployment client list with enabled status, server class, and host and port number of each. XML, JSON

GET deployment/client method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys

For each deployment client:

Name Description
disabled Disabled status:
0 = Enabled
1 = Disabled
serverClasses List of member server classes for app download authorization.
targetUri Host and port number (<host>:<port>).

[ Top ]



deployment/client/config


https://<host>:<mPort>/services/deployment/client/config

Authentication: Not required

Description

Get deployment client configuration and status.

Method summary
Method Description Formats
GET Get deployment client enabled status, server class for app distribution, and host and port number. XML, JSON

GET deployment/client/config method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
disabled Disabled status:
0 = Enabled
1 = Disabled
serverClasses List of member server classes for app download authorization.
targetUri Host and port number (<host>:<port>).

[ Top ]



deployment/client/config/listIsDisabled


https://<host>:<mPort>/services/deployment/client/config/listIsDisabled

Authentication: Not required

Description

Get deployment client status.

Method summary
Method Description Formats
GET Get deployment client disabled status. XML, JSON

GET deployment/client/config/listIsDisabled method detail

Example

Request parameters

None

Response data keys
Name Description
disabled Disabled status:
0 = Enabled
1 = Disabled

[ Top ]



deployment/client/{name}/reload


https://<host>:<mPort>/services/deployment/client/{name}/reload

Authentication: Not required

Description

Restart and reload {name} deployment client.

Method summary
Method Description Formats
POST Restart {name} deployment client and reload configuration from disk. XML, JSON

POST deployment/client/{name}/reload method detail

Example

Request parameters

None

Response data keys
Name Description
disabled Disabled status:
0 = Enabled
1 = Disabled
serverClasses List of member server classes for app download authorization.
targetUri Host and port number (<host>:<port>).

[ Top ]



deployment/server/applications


https://<host>:<mPort>/services/deployment/server/applications

Authentication: Not required

Description

Selectively list distributed apps.

Method summary
Method Description Formats
GET Selectively list distributed apps, including distributed state information. XML, JSON

GET deployment/server/applications method detail

Example

Request parameters
Name Type Default Description
clientId String Select apps that match clientId.
hasDeploymentError Boolean Select apps according to deployment fault status:
0 = Do not include apps with a deployment fault indication.
1 = Include apps with a deployment fault indication.

Pagination and filtering parameters can be used with this method.

Response data keys

For each app listed:

Name Description
archive Disk location of the archived version of the app.
clientId Deployment client ID associated with the app, an MD5 hash value of serialized (catenated) client attributes.
hasDeploymentError Indicates deployment fault status on at least one deployment client:
0 = Do not include apps with a deployment fault indication.
1 = Include apps with a deployment fault indication.
loadtime Last deployment server app loaded or reloaded date and time.
restartSplunkWeb Restart Splunk Web indication:
0 = Do not restart Splunk Web.
1 = Restart Splunk Web.
restartSplunkd Restart splunkd indication:
0 = Do not restart splunkd.
1 = Restart splunkd.
serverclasses List of server classes associated with the application.
size Size on disk of the compressed app (bundle), in bytes.
stateOnClient App enablement status:
0 = Not enabled.
1 = Enabled.
Application usage

An application not mapped to serverclasses is not loaded so loadtime is 0.

[ Top ]



deployment/server/applications/{name}


https://<host>:<mPort>/services/deployment/server/applications/{name}

Authentication: Not required

Description

Get or update distribution information for {name} app.

Method summary
Method Description Formats
GET Get {name} app distribution information. XML, JSON
POST Update {name} app distribution information. XML, JSON

GET deployment/server/applications/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
Attribute Description
archive Disk location of archived version of the app.
clientId Deployment client ID associated with the app, an MD5 hash value of serialized (catenated) client attributes.
hasDeploymentError Indicates deployment fault status on at least one deployment client:
0 = Do not include apps with a deployment fault indication.
1 = Include apps with a deployment fault indication.
loadtime Last deployment server app loaded or reloaded date and time.
restartSplunkWeb Restart Splunk Web indication:
0 = Do not restart Splunk Web.
1 = Restart Splunk Web.
restartSplunkd Restart splunkd indication:
0 = Do not restart splunkd.
1 = Restart splunkd.
serverclasses List of server classes associated with the application.
size Size on disk of the compressed app (bundle), in bytes.
stateOnClient App enablement status:
0 = Not enabled.
1 = Enabled.
Application usage

An application not mapped to serverclasses is not loaded so loadtime is 0.


POST deployment/server/applications/{name} method detail

Example

Request parameters
Name Type Default Description
blacklist.* String List of hosts to exclude when mapping application to a server class. For each blacklist, replace the wildcard (*) with an ordinal number to specify additional blacklists. Filter ordinals must start at 0 and be consecutive.
continueMatching Boolean Configuration layering indication, across classes and server-specific settings:
true = [Default] Configuration lookups continue matching server classes after the first match.
false = Use the first match, only.
deinstall Boolean Remove mapping indication:
true = Remove mapping of {name} from all server classes and delete it from client target repositories.
false = Do not remove mapping of {name}.
filterType Enum Filter execution order:
whitelist = Whitelist filters are applied before blacklist filters.
blacklist = Blacklist filters are applied before whitelist filters.
machineTypesFilter String Comma-separated list of filters to be used in Boolean and logic with whitelist and blacklist filters.

Only clients that match the white/blacklist filters AND that match this machineTypesFilter are included.

Thus the match is an intersection of the matches for the white/blacklist and the matches for MachineTypesFilter.

The patterns are PCRE regular expressions, with the following aids for easier entry:

  • You can specify '.' to mean '\\.'
  • You can specify '*' to mean '.*'
  • Matches are always case-insensitive; you do not need to specify the '(?i)' prefix.
repositoryLocation String The location on the deployment server to store the content that is to be deployed for this server class.

For example: $SPLUNK_HOME/etc/deployment-apps

restartSplunkWeb Boolean Indicates whether to restart SplunkWeb on the client when a member app or a directly configured app is updated.

Defaults to false

restartSplunkd Boolean Indicates whether to restart splunkd on the client when a member app or a directly configured app is updated.

Defaults to false

serverclass String The name of the server class to which the application is mapped.

Do not specify this parameter if deinstall is true.

stateOnClient Enum Valid values are (enabled | disabled | noop).
  • enabled: Default value. Sets the application state to enabled on the client, regardless of state on the deployment server.
  • disabled: Sets the application state to disabled on the client, regardless of state on the deployment server.
  • noop: The state on the client is the same as on the deployment server.
targetRepositoryLocation String The location on the deployment client to install the apps defined for this Deployment Server.

If unset, or set to empty, the repositoryLocation path is used. That is, defaults to:

$SPLUNK_HOME/etc/apps (the live configuration directory for a Splunk Enterprise instance)

Useful only with complex (for example, tiered) deployment strategies.

tmpFolder String Working folder used by deployment server.

Defaults to $SPLUNK_HOME/var/run/tmp

unmap Boolean Indicates whether to remove the mapping of the application to the specified server class.
whitelist.* String List of hosts to accept for this server class.

For each whitelist, replace * with an ordinal number to specify additional whitelists. Filter ordinals must start at 0 and be consecutive.

Response data keys
Name Description
archive Specifies the location of the compressed version (bundle) of the app.
blacklist.* Regular expressions used to exclude, when mapping this application to a client.

If a client matches any of the blacklist regular expressions, it does not receive the application. The * is replaced by an integral ordinal number.

continueMatching If true, configuration lookups continue matching server classes, beyond the first match. If false, only the first match is used.
filterType blacklist)

Determines the order of execution of filters. If filterType is whitelist, all whitelist filters are applied first, followed by blacklist filters. If filterType is blacklist, all blacklist filters are applied first, followed by whitelist filters.

See description for the filterType POST parameter for more information.

loadtime Specifies the date and time the application was last loaded (or reloaded) by the deployment server.

An application not mapped to any serverclasses does not get loaded, thus its loadtime attribute is 0; in epoch terms, which is 01 Jan 1970 at midnight GMT.

machineTypesFilter List of filters to be used in Boolean and logic with whitelist and blacklist filters.
repositoryLocation The location on the deployment server to store the content that is to be deployed for this server class.
restartSplunkWeb Indicates whether to restart Splunk Web.
restartSplunkd Indicates whether to restart splunkd.
serverclass The name of the server class to which the application is mapped.
serverclasses List of server classes associated with the application.
size Indicates in bytes the size on disk of the compressed version (bundle) of the application.
stateOnClient Specifies whether the deployment client is enabled or disabled.
targetRepositoryLocation The location on the deployment client to install the apps defined for this Deployment Server.

If unset, or set to empty, the repositoryLocation path is used.

tmpFolder Working folder used by deployment server.
whitelist.* Regular expressions used to accept, when mapping this application to a client.

If a client matches any of the whitelist regular expressions, it accepts the application. The * is replaced by an integral ordinal number.

Application usage

When continueMatching is true, matching is in the order in which server classes are defined.

The whitelist setting indicates a filtering strategy that includes a subset:

The blacklist setting indicates a filtering strategy that excludes a subset:

That is,

whitelist: default no-match -> whitelists enable -> blacklists disable
blacklist: default match -> blacklists disable-> whitelists enable

If you specify whitelist at the global level, and then specify blacklist for an individual server class, the setting becomes blacklist for that server class, and you have to provide another filter in that server class definition to replace the one you overrode.

[ Top ]



deployment/server/clients


https://<host>:<mPort>/services/deployment/server/clients

Authentication: Not required

Description

Provides access to information about clients to a deployment server.

Method summary
Method Description Formats
GET Lists information about clients to a deployment server. XML, JSON

GET deployment/server/clients method detail

Example

Request parameters
Name Type Default Description
application String Lists clients to the deployment server that have attempted to download the named application.
hasDeploymentError Boolean False Indicates whether to list only clients that have a deployment error.
maxPhonehome_latency_to_avgInterval_ratio Number List clients to the deployment server when the ratio of the phone home latency to the average phone home interval is less than the value supplied to this parameter.
minLatestPhonehomeTime Number Lists clients for which there is a phone home message at the specified time or later, in epoch seconds. That is, list the client for the following condition:

  client latency ? (now?minLatestPhonehomeTime)

minPhonehome_latency_to_avgInterval_ratio Number List clients to the deployment server when the ratio of the phone home latency to the average phone home interval is greater than the value supplied with this parameter.
serverclasses String Comma-separated list of serverclasses. List clients that are configured to receive an application to a listed serverclass.

The match is a logical OR of, for each Si, include C if C is sent an app A that maps to Si in serverclass.conf, if such an app existed.

The "would have" is per blacklist.n or whitelist.n/machineTypesFilter in serverclass.conf

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
applications List of applications deployed to the deployment client.
averagePhoneHomeInterval The average phone home interval, in seconds.
build The build number for the instance of Splunk Enterprise on the deployment client.
dns The DNS lookup name of the deployment client server.
guid Identifier for the deployment server client.
hasDeploymentError Specifies whether to check for clients with a deployment error.
hostname The host name of the deployment client server.
id ID for the client based on client name and IP address.
ip The IP address of the client to the deployment server.
lastPhoneHomeTime The last time the deployment client phones home to the deployment server, in epoch time.
mgmt The managment port for the deployment client.
minLatestPhonehomeTime Specifies in epoch seconds the minimum latency for a client to contact the deployment server.
minPhonehome_latency_to_avgInterval_ratio The minimum value specified for the ratio of the phone home latency to the average phone home interval.
name The name of the deployment client server.
serverclasses List of server classes for the deployment client.
utsname Machine type for the deployment server client.

[ Top ]



deployment/server/clients/countClients_by_machineType


https://<host>:<mPort>/services/deployment/server/clients/countClients_by_machineType

Authentication: Not required

Description

Access information about deployment clients to this server according to the machine type of the client.

Method summary
Method Description Formats
GET Lists the count of deployment clients to this server by machine type. XML, JSON

GET deployment/server/clients/countClients_by_machineType method detail

Example

Request parameters

None

Response data keys
Name Description
counts The list of machine types for this deployment client, showing the count of each machine type.

[ Top ]



deployment/server/clients/countRecentDownloads


https://<host>:<mPort>/services/deployment/server/clients/countRecentDownloads

Authentication: Not required

Description

Access the count of the number of downloads from this client to the deployment server during the last specified time period.

Method summary
Method Description Formats
GET Return the count of the number of downloads from this client to the deployment server during the last specified time period. XML, JSON

GET deployment/server/clients/countRecentDownloads method detail

Example

Request parameters
Name Type Default Description
application String Count the number of downloads for clients that have attempted to download the named application.
hasDeploymentError Boolean Indicates whether to count downloads for clients that have a deployment error.
maxAgeSecs
required
Number Age of the downloads to count, in seconds.
maxPhonehome_latency_to_avgInterval_ratio Number List the count of recent download by this client to the deployment server when the ratio of the phone home latency to the average phone home interval is less than the value supplied to this parameter
minLatestPhonehomeTime Number Specifies in epoch seconds the minimum latency for a client to contact the deployment server. This endpoint lists the number of downloads for clients to the deployment server with a latency equal to or greater than specified by this parameter.
minPhonehome_latency_to_avgInterval_ratio Number List the number of recent downloads by clients to the deployment server when the ratio of the phone home latency to the average phone home interval is greater than the value supplied with this parameter.
serverclasses String Comma-separated list of server classes. Lists the number of recent downloads by clients to the deployment server that are configured to send an application to a listed serverclass.
Response data keys
Name Description
count The number of recent downloads.

[ Top ]



deployment/server/clients/{name}


https://<host>:<mPort>/services/deployment/server/clients/{name}

Authentication: Not required

Description

Get client information or remove a client.

Method summary
Method Description Formats
DELETE Removes the specified client from the deployment server registry. The next time the client "phones home" the record is re-created. XML, JSON
GET Lists information about the named client to the deployment server. XML, JSON

DELETE deployment/server/clients/{name} method detail

Example

Request parameters

None

Response data keys

None


GET deployment/server/clients/{name} method detail

Example

Request parameters
Name Type Default Description
application String Lists information about this client with respect to the named application.
hasDeploymentError Boolean Indicates whether to list this client if has a deployment error.
maxPhonehome_latency_to_avgInterval_ratio Number List clients to the deployment server when the ratio of the phone home latency to the average phone home interval is less than the value supplied to this parameter.
minLatestPhonehomeTime Number Specifies in epoch seconds the minimum latency for a client to contact the deployment server. This endpoint lists information about the named client if it has a latency equal to or greater than specified by this parameter.
minPhonehome_latency_to_avgInterval_ratio Number List information about the named client to the deployment server when the ratio of the phone home latency to the average phone home interval is greater than the value supplied with this parameter.
serverclasses String Comma-separated list of serverclasses. Lists information about this client if it is configured to send an application to a listed serverclass.
Response data keys
Name Description
application The name of the application specified to filter the results of this call.
applications List of applications deployed to the deployment client.
averagePhoneHomeInterval The average phone home interval, in seconds.
build The build number for the instance of Splunk Enterprise on the deployment client.
dns The DNS lookup name of the deployment client server.
guid Identifier for the deployment server client.
hasDeploymentError Specifies whether to check for clients with a deployment error.
hostname The host name of the deployment client server.
id ID for the client based on client name and IP address.
ip The IP address of the client to the deployment server.
lastPhoneHomeTime The last time the deployment client phones home to the deployment server, in epoch time.
maxPhonehome_latency_to_avgInterval_ratio The maximum value specified for the ratio of the phone home latency to the average phone home interval.
mgmt The managment port for the deployment client.
minLatestPhonehomeTime Specifies in epoch seconds the minimum latency for a client to contact the deployment server.
minPhonehome_latency_to_avgInterval_ratio The minimum value specified for the ratio of the phone home latency to the average phone home interval.
name The name of the deployment client server.
serverClasses The list of server classes to which the client belongs.
serverclasses List of server classes for the deployment client.
utsname Machine type for the deployment server client.

[ Top ]



deployment/server/config


https://<host>:<mPort>/services/deployment/server/config

Authentication: Not required

Description

Access server configuration information for deployment servers.

Method summary
Method Description Formats
GET List configuration information for all deployment servers. XML, JSON

GET deployment/server/config method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
currentDownloads The number of current downloads for this deployment server.
disabled Indicates whether the deployment server is disabled.
loadTime The time, in epoch seconds, the serverclass for this server was loaded.
repositoryLocation The location on the deployment server to store the content that is to be deployed.
whitelist.0 Lists the contents of whitelist.0.

[ Top ]



deployment/server/config/attributesUnsupportedInUI


https://<host>:<mPort>/services/deployment/server/config/attributesUnsupportedInUI

Authentication: Not required

Description

Access deployment server attriutes that cannot be configured from Splunk Web.

Method summary
Method Description Formats
GET Lists deployment server attributes that cannot be configured from Splunk Web. XML, JSON

GET deployment/server/config/attributesUnsupportedInUI method detail

Example

Request parameters

None

Response data keys
Name Description
property The attribute that cannot be configured from Splunk Web.
reason The reason an attribute cannot be configured from Splunk Web.
stanza The stanza in serverclass.conf that lists deployment server attributes that cannot be configured from Splunk Web.

[ Top ]



deployment/server/config/listIsDisabled


https://<host>:<mPort>/services/deployment/server/config/listIsDisabled

Authentication: Not required

Description

Access information as to whether the deployment server is enabled.

Method summary
Method Description Formats
GET List whether the deployment server is disabled. XML, JSON

GET deployment/server/config/listIsDisabled method detail

Example

Request parameters

None

Response data keys
Name Description
disabled Indicates if the deployment server is disabled.

[ Top ]



deployment/server/serverclasses


https://<host>:<mPort>/services/deployment/server/serverclasses

Authentication: Not required

Description

Access information about server classes.

Method summary
Method Description Formats
GET List server classes for this deployment server. XML, JSON
POST Creates a server class. XML, JSON

GET deployment/server/serverclasses method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
blacklist-size The number of entires in the blacklist for this serverclass.
clientId ID of deployment client for this server class.
currentDownloads Number of applications currently downloaded.
hasDeploymentError Indicates whether the serverclass has at least one deployment error.
loadTime The time, in epoch seconds, this serverclass was loaded.
machineTypesFilter List of filters to be used in Boolean and logic with whitelist and blacklist filters.
repositoryList List of applications stored at the location specified by repositoryLocation.
repositoryLocation The location on the deployment server to store the content that is to be deployed for this server class.
restartSplunkWeb Indicates whether to restart Splunk Web.
restartSplunkd Indicates whether to restart splunkd.
stateOnClient Indicates whether this server class is enabled or disabled.
whitelist-size Specifies the number of entries in the whitelist for this server class.
whitelist.0 List of servers for whitelist.0 for this server class.

POST deployment/server/serverclasses method detail

Example

Request parameters
Name Type Default Description
name
required
String The name of the server class.
blacklist.* String List of hosts to exclude for this server class.

For each blacklist, replace * with an ordinal number to specify additional blacklists. Filter ordinals must start at 0 and be consecutive.

continueMatching Boolen Controls how configuration is layered across classes and server-specific settings.

If true, configuration lookups continue matching server classes, beyond the first match. If false, only the first match is used. Matching is done in the order that server classes are defined. Defaults to true.

A serverClass can override this property and stop the matching.

filterType Enum Valid values: (whitelist | blacklist)

Determines the order of execution of filters. If filterType is whitelist, all whitelist filters are applied first, followed by blacklist filters. If filterType is blacklist, all blacklist filters are applied first, followed by whitelist filters.

The whitelist setting indicates a filtering strategy that pulls in a subset:

  • Items are not considered to match the server class by default.
  • Items that match any whitelist entry, and do not match any blacklist entry, are considered to match the server class.
  • Items that match any blacklist entry are not considered to match the server class, regardless of whitelist.

The blacklist setting indicates a filtering strategy that rules out a subset:

  • Items are considered to match the server class by default.
  • Items that match any blacklist entry, and do not match any whitelist entry, are considered to not match the server class.
  • Items that match any whitelist entry are considered to match the server class.

More briefly:

whitelist: default no-match -> whitelists enable -> blacklists disable
blacklist: default match -> blacklists disable-> whitelists enable

If you specify whitelist at the global level, and then specify blacklist for an individual server class, the setting becomes blacklist for that server class, and you have to provide another filter in that server class definition to replace the one you overrode.

machineTypesFilter String Comma-separated list of filters to be used in Boolean and logic with whitelist and blacklist filters.

Only clients that match the white/blacklist filters AND that match this machineTypesFilter are included.

Thus the match is an intersection of the matches for the white/blacklist and the matches for MachineTypesFilter.

The patterns are PCRE regular expressions, with the following aids for easier entry:

  • You can specify '.' to mean '\\.'
  • You can specify '*' to mean '.*'
  • Matches are always case-insensitive; you do not need to specify the '(?i)' prefix.
repositoryLocation String The location on the deployment server to store the content that is to be deployed for this server class.

For example: $SPLUNK_HOME/etc/deployment-apps

restartSplunkWeb Boolean Indicates whether to restart SplunkWeb on the client when a member app or a directly configured app is updated.

Defaults to false

restartSplunkd Boolean Indicates whether to restart splunkd on the client when a member app or a directly configured app is updated.

Defaults to false

stateOnClient Enum Valid values are (enabled | disabled | noop).
  • enabled: Default value. Sets the application state to enabled on the client, regardless of state on the deployment server.
  • disabled: Sets the application state to disabled on the client, regardless of state on the deployment server.
  • noop: The state on the client is the same as on the deployment server.
targetRepositoryLocation String The location on the deployment client to install the apps defined for this Deployment Server.

If unset, or set to empty, the repositoryLocation path is used. That is, defaults to:

$SPLUNK_HOME/etc/apps (the live configuration directory for a Splunk instance

Useful only with complex (for example, tiered) deployment strategies.


tmpFolder String Working folder used by deployment server.

Defaults to $SPLUNK_HOME/var/run/tmp

whitelist.* String List of hosts to accept for this server class.

For each whitelist, replace * with an ordinal number to specify additional whitelists. Filter ordinals must start at 0 and be consecutive.

Response data keys
Name Description
blacklist-size The number of entries in the blacklist for this serverclass.
blacklist.* Regular expressions used to exclude for this server class.

If a client matches any of the blacklist regular expressions, it is not included in the server class. The * is replaced by an integral ordinal number.

continueMatching If true, configuration lookups continue matching server classes, beyond the first match. If false, only the first match is used.
currentDownloads Number of applications currently downloaded.
filterType blacklist)

Determines the order of execution of filters. If filterType is whitelist, all whitelist filters are applied first, followed by blacklist filters. If filterType is blacklist, all blacklist filters are applied first, followed by whitelist filters.

See description for the filterType POST parameter for more information.

loadTime The time, in epoch seconds, this serverclass was loaded.
machineTypesFilter List of filters to be used in Boolean and logic with whitelist and blacklist filters.
repositoryList List of applications stored at the location specified by repositoryLocation.
repositoryLocation The location on the deployment server to store the content that is to be deployed for this server class.
restartSplunkWeb Indicates whether to restart Splunk Web.
restartSplunkd Indicates whether to restart splunkd.
stateOnClient Specifies whether the deployment client is enabled or disabled.
targetRepositoryLocation The location on the deployment client to install the apps defined for this Deployment Server.

If unset, or set to empty, the repositoryLocation path is used.

That is, defaults to: $SPLUNK_HOME/etc/apps (the live configuration directory for a Splunk Enterprise instance.

Useful only with complex (for example, tiered) deployment strategies.

tmpFolder Working folder used by deployment server.

Defaults to $SPLUNK_HOME/var/run/tmp

whitelist-size Specifies the number of entries in the whitelist for this server class.
whitelist.* Regular expressions used to accept for this server class.

If a client matches any of the whitelist regular expressions, it is included in the server class. The * is replaced by an integral ordinal number.

[ Top ]



deployment/server/serverclasses/rename


https://<host>:<mPort>/services/deployment/server/serverclasses/rename

Authentication: Not required

Description

Rename a server class.

Method summary
Method Description Formats
POST Specify a new name for a server class. XML, JSON

POST deployment/server/serverclasses/rename method detail

Example

Request parameters
Name Type Default Description
newName
required
String The new name of the server class.
oldName
required
String The current name of the server class.
Response data keys

None

[ Top ]



deployment/server/serverclasses/{name}


https://<host>:<mPort>/services/deployment/server/serverclasses/{name}

Authentication: Not required

Description

Manage the {name} serverclass.

Method summary
Method Description Formats
DELETE Remove the specfied server class from this deployment server. XML, JSON
GET List information about the named server class. XML, JSON
POST Update the named server class. XML, JSON

DELETE deployment/server/serverclasses/{name} method detail

Example

Request parameters

None

Response data keys

None


GET deployment/server/serverclasses/{name} method detail

Example

Request parameters
Name Type Default Description
clientId String GUID of a deployment client that is a member of the named server class. Lists information about the named server class with respect to this client.
hasDeploymentError Boolean Indicates whether to only list server classes that have a deployment error.
Response data keys
Name Description
blacklist-size Specifies the size of the blacklist for the named server class.
clientId ID of deployment client for this server class.
currentDownloads The number of entires in the blacklist for this serverclass.
hasDeploymentError Indicates whether the serverclass has at least one deployment error.
loadTime The time, in epoch seconds, this serverclass was loaded.
machineTypesFilter List of filters to be used in Boolean and logic with whitelist and blacklist filters.
repositoryList List of applications stored at the location specified by repositoryLocation.
repositoryLocation The location on the deployment server to store the content that is to be deployed for this server class.
restartSplunkWeb Indicates whether to restart Splunk Web.
restartSplunkd Indicates whether to restart splunkd.
stateOnClient Indicates whether this server class is enabled or disabled.
whitelist-size Specifies the number of entries in the whitelist for this server class.
whitelist.0 List of servers for whitelist.0 for this server class.

POST deployment/server/serverclasses/{name} method detail

Example

Request parameters
Name Type Default Description
blacklist.* String List of hosts to exclude for this server class.

For each blacklist, replace * with an ordinal number to specify additional blacklists. Filter ordinals must start at 0 and be consecutive.

continueMatching Boolen Controls how configuration is layered across classes and server-specific settings.

If true, configuration lookups continue matching server classes, beyond the first match. If false, only the first match is used. Matching is done in the order that server classes are defined. Defaults to true.

A serverClass can override this property and stop the matching.

filterType Enum Valid values: (whitelist | blacklist)

Determines the order of execution of filters. If filterType is whitelist, all whitelist filters are applied first, followed by blacklist filters. If filterType is blacklist, all blacklist filters are applied first, followed by whitelist filters.

The whitelist setting indicates a filtering strategy that pulls in a subset:

  • Items are not considered to match the server class by default.
  • Items that match any whitelist entry, and do not match any blacklist entry, are considered to match the server class.
  • Items that match any blacklist entry are not considered to match the server class, regardless of whitelist.

The blacklist setting indicates a filtering strategy that rules out a subset:

  • Items are considered to match the server class by default.
  • Items that match any blacklist entry, and do not match any whitelist entry, are considered to not match the server class.
  • Items that match any whitelist entry are considered to match the server class.

More briefly:

whitelist: default no-match -> whitelists enable -> blacklists disable
blacklist: default match -> blacklists disable-> whitelists enable

If you specify whitelist at the global level, and then specify blacklist for an individual server class, the setting becomes blacklist for that server class, and you have to provide another filter in that server class definition to replace the one you overrode.

machineTypesFilter String Comma-separated list of filters to be used in Boolean and logic with whitelist and blacklist filters.

Only clients that match the white/blacklist filters AND that match this machineTypesFilter are included.

Thus the match is an intersection of the matches for the white/blacklist and the matches for MachineTypesFilter.

The patterns are PCRE regular expressions, with the following aids for easier entry:

  • You can specify '.' to mean '\\.'
  • You can specify '*' to mean '.*'
  • Matches are always case-insensitive; you do not need to specify the '(?i)' prefix.
repositoryLocation String The location on the deployment server to store the content that is to be deployed for this server class.

For example: $SPLUNK_HOME/etc/deployment-apps

restartSplunkWeb Boolean Indicates whether to restart SplunkWeb on the client when a member app or a directly configured app is updated.

Defaults to false

restartSplunkd Boolean Indicates whether to restart splunkd on the client when a member app or a directly configured app is updated.

Defaults to false

stateOnClient Enum Valid values are (enabled | disabled | noop).
  • enabled: Default value. Sets the application state to enabled on the client, regardless of state on the deployment server.
  • disabled: Sets the application state to disabled on the client, regardless of state on the deployment server.
  • noop: The state on the client is the same as on the deployment server.
targetRepositoryLocation String The location on the deployment client to install the apps defined for this Deployment Server.

If unset, or set to empty, the repositoryLocation path is used. That is, defaults to:

$SPLUNK_HOME/etc/apps (the live configuration directory for a Splunk instance

Useful only with complex (for example, tiered) deployment strategies.


tmpFolder String Working folder used by deployment server.

Defaults to $SPLUNK_HOME/var/run/tmp

whitelist.* String List of hosts to accept for this server class.

For each whitelist, replace * with an ordinal number to specify additional whitelists. Filter ordinals must start at 0 and be consecutive.

Response data keys

None

[ Top ]



search/distributed/bundle-replication-files


https://<host>:<mPort>/services/search/distributed/bundle-replication-files

Authentication: Not required

Description

Provide access to distributed search bundle replication files.

Method summary
Method Description Formats
GET List distributed search bundle replication files. XML, JSON

GET search/distributed/bundle-replication-files method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys

None

[ Top ]



search/distributed/bundle-replication-files/{name}


https://<host>:<mPort>/services/search/distributed/bundle-replication-files/{name}

Authentication: Not required

Description

Get {name} bundle replication file information.

Method summary
Method Description Formats
GET LIst information about the specified bundle replication file. For {name}, specify the checksum for the file. XML, JSON

GET search/distributed/bundle-replication-files/{name} method detail

Example

Request parameters
Name Type Default Description
force_list_all Boolean Indicates whether to force a listing of the file.
Response data keys

None

[ Top ]



search/distributed/config


https://<host>:<mPort>/services/search/distributed/config

Authentication: Not required

Description

Provides access to the Splunk Enterprise distributed search options. This option is not for adding search peers.

Method summary
Method Description Formats
GET Lists the configuration options for the distributed search system. XML, JSON

GET search/distributed/config method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
autoAddServers [Deprecated]
blacklistNames List of filenames that match the blacklist pattern, and are not replicated.
blacklistURLs List of URLs that are blacklisted, and thus is not replicated.
checkTimedOutServersFrequency Rechecks servers at the specified frequency (in seconds). If this is set to 0, then no recheck occurs. Defaults to 60.

This attribute is ONLY relevant if removeTimedOutServers is set to true. If removeTimedOutServers is false, this attribute is ignored.

connectionTimeout Connection timeout.
disabled Indicates if the distributed search is disabled.
dist_search_enabled Indicates if the distributed search is enabled.
heartbeatFrequency [Deprecated]
heartbeatMcastAddr [Deprecated]
heartbeatPort [Deprecated]
receiveTimeout Amount of time in seconds to use as a timeout while trying to read/receive data from a search peer.
removedTimedOutServers If true, removes a server connection that cannot be made within serverTimeout.

If false, every call to that server attempts to connect. This may result in a slow user interface.

sendTimeout Send timeout.
serverTimeout [Deprecated] Refer to connectionTimeout, sendTimeout, and receiveTimeout.
servers The initial list of servers.

If operating completely in autoAddServers mode (discovering all servers), there is no need to list any servers here.

shareBundles Indicates whether this server uses bundle replication to share search time configuration with search peers.

If set to false, the search head assumes that the search peers can access the correct bundles using an NFS share and have correctly configured the options listed under: "SEARCH HEAD BUNDLE MOUNTING OPTIONS."

skipOurselves [Deprecated]
statusTimeout Set connection timeout when gathering a search peer's basic info (/services/server/info). Read/write timeouts are automatically set to twice this value.
ttl [Deprecated]

[ Top ]



search/distributed/peers


https://<host>:<mPort>/services/search/distributed/peers

Authentication: Not required

Description

Provides distributed peer server management. A search peer is defined as a splunk server to which another splunk server distributes searches. The splunk server where the search request originates is referred to as the search head.

Method summary
Method Description Formats
GET Returns a list of configured search peers that this search head is configured to distribute searches to. This includes configured search peers disabled. XML, JSON

GET search/distributed/peers method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
build The Splunk Enterprise build number for this peer.
bundle_versions The IDs of the bundles (of this search head) that the peer has.

The IDs are sorted from latest to earliest.

disabled Indicates if the peer is disabled.
guid GUID of the peer.
is_https Inidcates if the management port is ussing SSL.
licenseSignature The license signature.
peerName The Splunk Enterprise server name of the peer.
peerType Specifies whether the peer is configured or discovered.
replicationStatus The status of bundle replication to this peer. Can be any of the following values:
Initial
In progress
Failed
Successful
Mounted
status The status of the peer.

Can be one of the following values:

Up
Down
Blacklisted
Not a Splunk server
Free Splunk server
Authentication Failed
Duplicate License
Duplicate Servername
Inconsistent bundles
version The Splunk Enterprise version string this peer is running.

[ Top ]



search/distributed/peers/{name}


https://<host>:<mPort>/services/search/distributed/peers

Authentication: Not required

Description

Provides distributed peer server management. A search peer is defined as a splunk server to which another splunk server distributes searches. The splunk server where the search request originates is referred to as the search head.

Method summary
Method Description Formats
POST Returns a list of configured search peers that this search head is configured to distribute searches to. This includes configured search peers disabled. XML, JSON

POST search/distributed/peers/{name} method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
build The Splunk Enterprise build number for this peer.
bundle_versions The IDs of the bundles (of this search head) that the peer has.

The IDs are sorted from latest to earliest.

disabled Indicates if the peer is disabled.
guid GUID of the peer.
is_https Inidcates if the management port is ussing SSL.
licenseSignature The license signature.
peerName The Splunk Enterprise server name of the peer.
peerType Specifies whether the peer is configured or discovered.
replicationStatus The status of bundle replication to this peer. Can be any of the following values:
Initial
In progress
Failed
Successful
Mounted
status The status of the peer.

Can be one of the following values:

Up
Down
Blacklisted
Not a Splunk server
Free Splunk server
Authentication Failed
Duplicate License
Duplicate Servername
Inconsistent bundles
version The Splunk Enterprise version string this peer is running.

[ Top ]

Deployment endpoint examples

deployment/client GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/client
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>deploymentclient</title>
 <id>https://localhost:8089/services/deployment/client</id>
 <updated>2011-07-11T00:35:37-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>deployment-client</title>
   <id>https://localhost:8089/services/deployment/client/deployment-client</id>
   <updated>2011-07-11T00:35:37-07:00</updated>
   <link href="/services/deployment/client/deployment-client" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/deployment/client/deployment-client" rel="list"/>
   <link href="/services/deployment/client/deployment-client" rel="edit"/>
   <link href="/services/deployment/client/deployment-client/reload" rel="reload"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="disabled">0</s:key>
       ... eai:acl node elided ...
       <s:key name="serverClasses">
         <s:list>
           <s:item>dstest:dstestapp</s:item>
         </s:list>
       </s:key>
       <s:key name="targetUri">essplunk:8089</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



deployment/client/config GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/client/config
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>deploymentclient</title>
 <id>https://localhost:8089/services/deployment/client</id>
 <updated>2013-07-31T20:49:58-07:00</updated>
 <generator build="172889" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/deployment/client/listIsDisabled" rel="listIsDisabled"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>config</title>
   <id>https://localhost:8089/services/deployment/client/config</id>
   <updated>2013-07-31T20:49:58-07:00</updated>
   <link href="/services/deployment/client/config" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/deployment/client/config" rel="list"/>
   <link href="/services/deployment/client/config" rel="edit"/>
   <link href="/services/deployment/client/config/reload" rel="reload"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="disabled">0</s:key>
       ... eai:acl node elided ...
       ... eai:attributes node elided ...
       <s:key name="serverClasses">
         <s:list>
           <s:item>sc_apps_wma:wma-app2</s:item>
           <s:item>sc_apps_wma:wma-app1</s:item>
           <s:item>sc_mach_type:wma-app2</s:item>
           <s:item>sc_new:wma-app2</s:item>
           <s:item>sc_new:wma-app1</s:item>
         </s:list>
       </s:key>
       <s:key name="targetUri">localhost:8089</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



deployment/client/config/listIsDisabled GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/client/config/listIsDisabled
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>deploymentclient</title>
 <id>https://localhost:8089/services/deployment/client</id>
 <updated>2013-08-04T18:49:25-07:00</updated>
 <generator build="172889" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/deployment/client/listIsDisabled" rel="listIsDisabled"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>default</title>
   <id>https://localhost:8089/services/deployment/client/default</id>
   <updated>2013-08-04T18:49:25-07:00</updated>
   <link href="/services/deployment/client/default" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/deployment/client/default" rel="list"/>
   <link href="/services/deployment/client/default" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="disabled">0</s:key>
       ... eai:acl node elided ...
     </s:dict>
   </content>
 </entry>

</feed>



deployment/client/config/reload POST

XML
XML Request

curl -k -u admin:pass -X POST https://localhost:8089/services/deployment/client/config/reload
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>deploymentclient</title>
 <id>https://localhost:8089/services/deployment/client</id>
 <updated>2013-10-07T15:49:06-07:00</updated>
 <generator build="182462" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/deployment/client/listIsDisabled" rel="listIsDisabled"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>config</title>
   <id>https://localhost:8089/services/deployment/client/config</id>
   <updated>2013-10-07T15:49:06-07:00</updated>
   <link href="/services/deployment/client/config" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/deployment/client/config" rel="list"/>
   <link href="/services/deployment/client/config" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="disabled">1</s:key>
       ... eai:acl node elided ...
     </s:dict>
   </content>
 </entry>

</feed>



deployment/client/{name}/reload POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/client/deployment-client/reload
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>deploymentclient</title>
 <id>https://localhost:8089/services/deployment/client</id>
 <updated>2011-07-11T00:39:23-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>deployment-client</title>
   <id>https://localhost:8089/services/deployment/client/deployment-client</id>
   <updated>2011-07-11T00:39:23-07:00</updated>
   <link href="/services/deployment/client/deployment-client" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/deployment/client/deployment-client" rel="list"/>
   <link href="/services/deployment/client/deployment-client" rel="edit"/>
   <link href="/services/deployment/client/deployment-client/reload" rel="reload"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="disabled">0</s:key>
       ... eai:acl node elided ...
       <s:key name="serverClasses">
         <s:list>
           <s:item>dstest:dstestapp</s:item>
         </s:list>
       </s:key>
       <s:key name="targetUri">tiny:8089</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



deployment/server/applications GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/applications
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>applications</title>
 <id>https://localhost:8089/services/deployment/server/applications</id>
 <updated>2013-08-01T09:35:22-07:00</updated>
 <generator build="172889" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/deployment/server/applications/_new" rel="create"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>wma-app-test2</title>
   <id>https://localhost:8089/services/deployment/server/applications/wma-app2</id>
   <updated>2013-08-01T09:35:22-07:00</updated>
   <link href="/services/deployment/server/applications/wma-app2" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <content type="text/xml">
     <s:dict>
       <s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app2-1375305443.bundle</s:key>
       ... eai:acl node elided ...
       <s:key name="loadtime">Wed Jul 31 14:17:23 2013</s:key>
       <s:key name="restartSplunkWeb">0</s:key>
       <s:key name="restartSplunkd">0</s:key>
       <s:key name="serverclasses">
         <s:list>
           <s:item>sc_mach_type</s:item>
           <s:item>sc_new</s:item>
           <s:item>sc_apps_wma</s:item>
         </s:list>
       </s:key>
       <s:key name="size">112640</s:key>
       <s:key name="stateOnClient">enabled</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>wma-app1</title>
   <id>https://localhost:8089/services/deployment/server/applications/wma-app1</id>
   <updated>2013-08-01T09:35:22-07:00</updated>
   <link href="/services/deployment/server/applications/wma-app_test1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <content type="text/xml">
     <s:dict>
       <s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app1-1375305443.bundle</s:key>
       ... eai:acl node elided ...
       <s:key name="loadtime">Wed Jul 31 14:17:23 2013</s:key>
       <s:key name="restartSplunkWeb">0</s:key>
       <s:key name="restartSplunkd">0</s:key>
       <s:key name="serverclasses">
         <s:list>
           <s:item>sc_new</s:item>
           <s:item>sc_apps_wma</s:item>
         </s:list>
       </s:key>
       <s:key name="size">112640</s:key>
       <s:key name="stateOnClient">enabled</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



deployment/server/applications/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/applications/wma-app1
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>applications</title>
 <id>https://localhost:8089/services/deployment/server/applications</id>
 <updated>2013-08-04T18:53:50-07:00</updated>
 <generator build="172889" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/deployment/server/applications/_new" rel="create"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>wma-app1</title>
   <id>https://localhost:8089/services/deployment/server/applications/wma-app1</id>
   <updated>2013-08-04T18:53:50-07:00</updated>
   <link href="/services/deployment/server/applications/wma-app1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <content type="text/xml">
     <s:dict>
       <s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app1-1375467593.bundle</s:key>
       ... eai:acl node elided ...
       <s:key name="eai:attributes">... elided ...</s:key>
       <s:key name="loadtime">Fri Aug  2 11:19:53 2013</s:key>
       <s:key name="restartSplunkWeb">0</s:key>
       <s:key name="restartSplunkd">0</s:key>
       <s:key name="serverclasses">
         <s:list>
           <s:item>sc_new</s:item>
           <s:item>sc_apps_wma</s:item>
         </s:list>
       </s:key>
       <s:key name="size">112640</s:key>
       <s:key name="stateOnClient">enabled</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



deployment/server/applications/{name} POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/deployment/server/applications/wma-app3 -d serverclass=sc_apps_wma
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>applications</title>
 <id>https://localhost:8089/services/deployment/server/applications</id>
 <updated>2013-08-10T12:50:59-07:00</updated>
 <generator build="176231" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/deployment/server/applications/_new" rel="create"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>wma-app3</title>
   <id>https://localhost:8089/services/deployment/server/applications/wma-app3</id>
   <updated>2013-08-10T12:50:59-07:00</updated>
   <link href="/services/deployment/server/applications/wma-app3" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <content type="text/xml">
     <s:dict>
       <s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_mach_type/wma-app3-1376164259.bundle</s:key>
       ... eai:acl node elided ...
       <s:key name="loadtime">Sat Aug 10 12:50:59 2013</s:key>
       <s:key name="restartSplunkWeb">0</s:key>
       <s:key name="restartSplunkd">0</s:key>
       <s:key name="serverclasses">
         <s:list>
           <s:item>sc_mach_type</s:item>
           <s:item>sc_apps_wma</s:item>
         </s:list>
       </s:key>
       <s:key name="size">112640</s:key>
       <s:key name="stateOnClient">enabled</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



deployment/server/clients GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/clients
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>serverclients</title>
 <id>https://localhost:8089/services/deployment/server/clients</id>
 <updated>2013-08-01T09:41:42-07:00</updated>
 <generator build="172889" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/deployment/server/clients/countClients_by_machineType" rel="countClients_by_machineType"/>
 <link href="/services/deployment/server/clients/countRecentDownloads" rel="countRecentDownloads"/>
 <link href="/services/deployment/server/clients/getMatchingAppsForClient_dryRun" rel="getMatchingAppsForClient_dryRun"/>
 <link href="/services/deployment/server/clients/preview" rel="preview"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>dc95537d0e8fdadc44d00c50fc431e25</title>
   <id>https://localhost:8089/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25</id>
   <updated>2013-08-01T09:41:42-07:00</updated>
   <link href="/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25" rel="list"/>
   <link href="/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="applications">
         <s:dict>
           <s:key name="wma-app-test2">
             <s:dict>
               <s:key name="action">Install</s:key>
               <s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app2-1375305443.bundle</s:key>
               <s:key name="restartSplunkWeb">0</s:key>
               <s:key name="restartSplunkd">0</s:key>
               <s:key name="result">Ok</s:key>
               <s:key name="serverclasses">
                 <s:list>
                   <s:item>sc_mach_type</s:item>
                   <s:item>sc_new</s:item>
                   <s:item>sc_apps_wma</s:item>
                 </s:list>
               </s:key>
               <s:key name="size">112640</s:key>
               <s:key name="stateOnClient">enabled</s:key>
               <s:key name="timestamp">Wed Jul 31 14:11:23 2013</s:key>
             </s:dict>
           </s:key>
           <s:key name="wma-app_test1">
             <s:dict>
               <s:key name="action">Install</s:key>
               <s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app1-1375305443.bundle</s:key>
               <s:key name="restartSplunkWeb">0</s:key>
               <s:key name="restartSplunkd">0</s:key>
               <s:key name="result">Ok</s:key>
               <s:key name="serverclasses">
                 <s:list>
                   <s:item>sc_new</s:item>
                   <s:item>sc_apps_wma</s:item>
                 </s:list>
               </s:key>
               <s:key name="size">112640</s:key>
               <s:key name="stateOnClient">enabled</s:key>
               <s:key name="timestamp">Wed Jul 31 14:17:23 2013</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="averagePhoneHomeInterval">60</s:key>
       <s:key name="build">172889</s:key>
       <s:key name="dns">localhost.sv.splunk.com</s:key>
       ... eai:acl node elided ...
       <s:key name="guid">dc95537d0e8fdadc44d00c50fc431e25</s:key>
       <s:key name="hostname">localhost.sv.splunk.com</s:key>
       <s:key name="id">connection_10.160.24.187_8089_localhost.sv.splunk.com_localhost.sv.splunk.com_Ombra</s:key>
       <s:key name="ip">10.160.24.187</s:key>
       <s:key name="lastPhoneHomeTime">1375375291</s:key>
       <s:key name="mgmt">8089</s:key>
       <s:key name="name">Ombra</s:key>
       <s:key name="serverClasses">
         <s:dict>
           <s:key name="sc_apps_wma">
             <s:dict>
               <s:key name="loadTime">1375305443</s:key>
               <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
               <s:key name="restartSplunkWeb">0</s:key>
               <s:key name="restartSplunkd">0</s:key>
               <s:key name="stateOnClient">enabled</s:key>
             </s:dict>
           </s:key>
           <s:key name="sc_mach_type">
             <s:dict>
               <s:key name="loadTime">1375305443</s:key>
               <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
               <s:key name="restartSplunkWeb">0</s:key>
               <s:key name="restartSplunkd">0</s:key>
               <s:key name="stateOnClient">enabled</s:key>
             </s:dict>
           </s:key>
           <s:key name="sc_new">
             <s:dict>
               <s:key name="loadTime">1375305443</s:key>
               <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
               <s:key name="restartSplunkWeb">0</s:key>
               <s:key name="restartSplunkd">0</s:key>
               <s:key name="stateOnClient">enabled</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="utsname">linux-x86_64</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



deployment/server/clients/countClients_by_machineType GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/clients/countClients_by_machineType
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>serverclients</title>
 <id>https://localhost:8089/services/deployment/server/clients</id>
 <updated>2013-07-30T15:07:38-07:00</updated>
 <generator build="172889" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/deployment/server/clients/countClients_by_machineType" rel="countClients_by_machineType"/>
 <link href="/services/deployment/server/clients/countRecentDownloads" rel="countRecentDownloads"/>
 <link href="/services/deployment/server/clients/getMatchingAppsForClient_dryRun" rel="getMatchingAppsForClient_dryRun"/>
 <link href="/services/deployment/server/clients/preview" rel="preview"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>default</title>
   <id>https://localhost:8089/services/deployment/server/clients/default</id>
   <updated>2013-07-30T15:07:38-07:00</updated>
   <link href="/services/deployment/server/clients/default" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/deployment/server/clients/default" rel="list"/>
   <link href="/services/deployment/server/clients/default" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="counts">
         <s:dict>
           <s:key name="linux-x86_64">3</s:key>
         </s:dict>
       </s:key>
       ... eai:acl node elided ...
     </s:dict>
   </content>
 </entry>

</feed>



deployment/server/clients/countRecentDownloads GET

XML
XML Request

curl -k -u admin:pass -d maxAgeSecs=1 -G https://localhost:8089/services/deployment/server/clients/countRecentDownloads
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>serverclients</title>
 <id>https://localhost:8089/services/deployment/server/clients</id>
 <updated>2013-07-30T20:00:43-07:00</updated>
 <generator build="172889" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/deployment/server/clients/countClients_by_machineType" rel="countClients_by_machineType"/>
 <link href="/services/deployment/server/clients/countRecentDownloads" rel="countRecentDownloads"/>
 <link href="/services/deployment/server/clients/getMatchingAppsForClient_dryRun" rel="getMatchingAppsForClient_dryRun"/>
 <link href="/services/deployment/server/clients/preview" rel="preview"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>default</title>
   <id>https://localhost:8089/services/deployment/server/clients/default</id>
   <updated>2013-07-30T20:00:43-07:00</updated>
   <link href="/services/deployment/server/clients/default" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/deployment/server/clients/default" rel="list"/>
   <link href="/services/deployment/server/clients/default" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="count">6</s:key>
       ... eai:acl node elided ...
     </s:dict>
   </content>
 </entry>

</feed>



deployment/server/clients/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/services/deployment/server/clients/1d3de43af2aae61139c367044127f44a
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>serverclients</title>
 <id>https://qa-sv-rh61x64-7:8103/services/deployment/server/clients</id>
 <updated>2013-10-21T16:03:49-07:00</updated>
 <generator build="182785" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/deployment/server/clients/countClients_by_machineType" rel="countClients_by_machineType"/>
 <link href="/services/deployment/server/clients/countRecentDownloads" rel="countRecentDownloads"/>
 <link href="/services/deployment/server/clients/getMatchingAppsForClient_dryRun" rel="getMatchingAppsForClient_dryRun"/>
 <link href="/services/deployment/server/clients/preview" rel="preview"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>149685cb3e39898fbd15be6604672a31</title>
   <id>https://qa-sv-rh61x64-7:8103/services/deployment/server/clients/149685cb3e39898fbd15be6604672a31</id>
   <updated>2013-10-21T16:03:49-07:00</updated>
   <link href="/services/deployment/server/clients/149685cb3e39898fbd15be6604672a31" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/deployment/server/clients/149685cb3e39898fbd15be6604672a31" rel="list"/>
   <link href="/services/deployment/server/clients/149685cb3e39898fbd15be6604672a31" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="averagePhoneHomeInterval">60</s:key>
       <s:key name="build">177748</s:key>
       <s:key name="clientName">4D4EA12E-FDBA-41D3-99CD-2A61CC1DAB29</s:key>
       <s:key name="dns">qa-sv-rh61x64-10.sv.splunk.com</s:key>
       ... eai:acl node elided ...
       <s:key name="guid">149685cb3e39898fbd15be6604672a31</s:key>
       <s:key name="hostname">qa-sv-rh61x64-10</s:key>
       <s:key name="id">connection_10.160.24.224_8097_qa-sv-rh61x64-10.sv.splunk.com_qa-sv-rh61x64-10_4D4EA12E-FDBA-41D3-99CD-2A61CC1DAB29</s:key>
       <s:key name="ip">10.160.24.224</s:key>
       <s:key name="lastPhoneHomeTime">1382396628</s:key>
       <s:key name="mgmt">8097</s:key>
       <s:key name="name">4D4EA12E-FDBA-41D3-99CD-2A61CC1DAB29</s:key>
       <s:key name="serverClasses"/>
       <s:key name="utsname">linux-x86_64</s:key>
     </s:dict>
   </content>
 </entry>
 . . . elided ...

</feed>



deployment/server/clients/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>serverclients</title>
 <id>https://localhost:8089/services/deployment/server/clients</id>
 <updated>2013-08-04T18:59:31-07:00</updated>
 <generator build="172889" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/deployment/server/clients/countClients_by_machineType" rel="countClients_by_machineType"/>
 <link href="/services/deployment/server/clients/countRecentDownloads" rel="countRecentDownloads"/>
 <link href="/services/deployment/server/clients/getMatchingAppsForClient_dryRun" rel="getMatchingAppsForClient_dryRun"/>
 <link href="/services/deployment/server/clients/preview" rel="preview"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>dc95537d0e8fdadc44d00c50fc431e25</title>
   <id>https://localhost:8089/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25</id>
   <updated>2013-08-04T18:59:31-07:00</updated>
   <link href="/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25" rel="list"/>
   <link href="/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="applications">
         <s:dict>
           <s:key name="wma-app2">
             <s:dict>
               <s:key name="action">Unknown</s:key>
               <s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app2-1375467593.bundle</s:key>
               <s:key name="restartSplunkWeb">0</s:key>
               <s:key name="restartSplunkd">0</s:key>
               <s:key name="result">Ok</s:key>
               <s:key name="serverclasses">
                 <s:list>
                   <s:item>sc_mach_type</s:item>
                   <s:item>sc_new</s:item>
                   <s:item>sc_apps_wma</s:item>
                 </s:list>
               </s:key>
               <s:key name="size">112640</s:key>
               <s:key name="stateOnClient">enabled</s:key>
             </s:dict>
           </s:key>
           <s:key name="wma-app1">
             <s:dict>
               <s:key name="action">Unknown</s:key>
               <s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app1-1375467593.bundle</s:key>
               <s:key name="restartSplunkWeb">0</s:key>
               <s:key name="restartSplunkd">0</s:key>
               <s:key name="result">Ok</s:key>
               <s:key name="serverclasses">
                 <s:list>
                   <s:item>sc_new</s:item>
                   <s:item>sc_apps_wma</s:item>
                 </s:list>
               </s:key>
               <s:key name="size">112640</s:key>
               <s:key name="stateOnClient">enabled</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="averagePhoneHomeInterval">60</s:key>
       <s:key name="build">172889</s:key>
       <s:key name="dns">localhost.sv.splunk.com</s:key>
       ... eai:acl node elided ...
       ... eai:attribute node elided ...
       <s:key name="guid">dc95537d0e8fdadc44d00c50fc431e25</s:key>
       <s:key name="hostname">localhost.sv.splunk.com</s:key>
       <s:key name="id">connection_10.160.24.187_8089_localhost.sv.splunk.com_localhost.sv.splunk.com_Ombra</s:key>
       <s:key name="ip">10.160.24.187</s:key>
       <s:key name="lastPhoneHomeTime">1375667964</s:key>
       <s:key name="mgmt">8089</s:key>
       <s:key name="name">Ombra</s:key>
       <s:key name="serverClasses">
         <s:dict>
           <s:key name="sc_apps_wma">
             <s:dict>
               <s:key name="loadTime">1375467593</s:key>
               <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
               <s:key name="restartSplunkWeb">0</s:key>
               <s:key name="restartSplunkd">0</s:key>
               <s:key name="stateOnClient">enabled</s:key>
             </s:dict>
           </s:key>
           <s:key name="sc_mach_type">
             <s:dict>
               <s:key name="loadTime">1375467593</s:key>
               <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
               <s:key name="restartSplunkWeb">0</s:key>
               <s:key name="restartSplunkd">0</s:key>
               <s:key name="stateOnClient">enabled</s:key>
             </s:dict>
           </s:key>
           <s:key name="sc_new">
             <s:dict>
               <s:key name="loadTime">1375467593</s:key>
               <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
               <s:key name="restartSplunkWeb">0</s:key>
               <s:key name="restartSplunkd">0</s:key>
               <s:key name="stateOnClient">enabled</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="utsname">linux-x86_64</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



deployment/server/config GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/config
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>deploymentserver</title>
 <id>https://localhost:8089/services/deployment/server/config</id>
 <updated>2013-08-01T08:17:38-07:00</updated>
 <generator build="172889" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/deployment/server/config/_reload" rel="_reload"/>
 <link href="/services/deployment/server/config/attributesUnsupportedInUI" rel="attributesUnsupportedInUI"/>
 <link href="/services/deployment/server/config/listIsDisabled" rel="listIsDisabled"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>config</title>
   <id>https://localhost:8089/servicesNS/nobody/system/deployment/server/config/config</id>
   <updated>2013-08-01T08:17:38-07:00</updated>
   <link href="/servicesNS/nobody/system/deployment/server/config/config" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/deployment/server/config/config" rel="list"/>
   <link href="/servicesNS/nobody/system/deployment/server/config/config/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/deployment/server/config/config" rel="edit"/>
   <link href="/servicesNS/nobody/system/deployment/server/config/config/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="currentDownloads">0</s:key>
       <s:key name="disabled">0</s:key>
       ... eai:acl node elided ...
       <s:key name="loadTime">1375305443</s:key>
       <s:key name="repositoryLocation">$SPLUNK_HOME/etc/deployment-apps</s:key>
       <s:key name="whitelist.0">*</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



deployment/server/config/attributesUnsupportedInUI GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/config/attributesUnsupportedInUI
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>deploymentserver</title>
 <id>https://localhost:8089/services/deployment/server/config</id>
 <updated>2013-08-04T19:14:20-07:00</updated>
 <generator build="172889" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/deployment/server/config/_reload" rel="_reload"/>
 <link href="/services/deployment/server/config/attributesUnsupportedInUI" rel="attributesUnsupportedInUI"/>
 <link href="/services/deployment/server/config/listIsDisabled" rel="listIsDisabled"/>
 ... eai:acl node elided ...
 <s:messages/>
 <entry>
   <title>item_0</title>
   <id>https://localhost:8089/services/deployment/server/config/item_0</id>
   <updated>2013-08-04T19:14:20-07:00</updated>
   <link href="/services/deployment/server/config/item_0" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/deployment/server/config/item_0" rel="list"/>
   <link href="/services/deployment/server/config/item_0/_reload" rel="_reload"/>
   <link href="/services/deployment/server/config/item_0" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       ... opensearch nodes elided ...
       <s:key name="property">whitelist.0</s:key>
       <s:key name="reason">unsupported at this level</s:key>
       <s:key name="stanza">global</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



deployment/server/config/listIsDisabled GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/config/listIsDisabled
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>deploymentserver</title>
 <id>https://localhost:8089/services/deployment/server/config</id>
 <updated>2013-08-10T14:08:11-07:00</updated>
 <generator build="176231" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/deployment/server/config/_reload" rel="_reload"/>
 <link href="/services/deployment/server/config/attributesUnsupportedInUI" rel="attributesUnsupportedInUI"/>
 <link href="/services/deployment/server/config/listIsDisabled" rel="listIsDisabled"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>default</title>
   <id>https://localhost:8089/services/deployment/server/config/default</id>
   <updated>2013-08-10T14:08:11-07:00</updated>
   <link href="/services/deployment/server/config/default" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/deployment/server/config/default" rel="list"/>
   <link href="/services/deployment/server/config/default/_reload" rel="_reload"/>
   <link href="/services/deployment/server/config/default" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="disabled">0</s:key>
       ... eai:acl node elided ...
     </s:dict>
   </content>
 </entry>

</feed>



deployment/server/serverclasses GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/serverclasses
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>serverclasses</title>
 <id>https://localhost:8089/services/deployment/server/serverclasses</id>
 <updated>2013-08-01T09:50:16-07:00</updated>
 <generator build="172889" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/deployment/server/serverclasses/_new" rel="create"/>
 <link href="/services/deployment/server/serverclasses/rename" rel="rename"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>sc_apps_wma</title>
   <id>https://localhost:8089/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma</id>
   <updated>2013-08-01T09:50:16-07:00</updated>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="list"/>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="edit"/>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="remove"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_apps_wma/applications" rel="applications"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_apps_wma/clients" rel="clients"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_apps_wma/reload" rel="reload"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="blacklist-size">0</s:key>
       <s:key name="currentDownloads">0</s:key>
       ... eai:acl node elided ...
       <s:key name="loadTime">1375305443</s:key>
       <s:key name="machineTypesFilter"></s:key>
       <s:key name="repositoryList">
         <s:dict>
           <s:key name="wma-app2"/>
           <s:key name="wma-app1"/>
         </s:dict>
       </s:key>
       <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
       <s:key name="restartSplunkWeb">0</s:key>
       <s:key name="restartSplunkd">0</s:key>
       <s:key name="stateOnClient">enabled</s:key>
       <s:key name="whitelist-size">1</s:key>
       <s:key name="whitelist.0">Ombra*</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>sc_mach_type</title>
   <id>https://localhost:8089/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type</id>
   <updated>2013-08-01T09:50:16-07:00</updated>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="list"/>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="edit"/>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="remove"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_mach_type/applications" rel="applications"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_mach_type/clients" rel="clients"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_mach_type/reload" rel="reload"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="blacklist-size">0</s:key>
       <s:key name="currentDownloads">0</s:key>
       ... eai:acl node elided ...
       <s:key name="loadTime">1375305443</s:key>
       <s:key name="machineTypesFilter">linux-x86_64,</s:key>
       <s:key name="repositoryList">
         <s:dict>
           <s:key name="wma-app-test2"/>
           <s:key name="wma-app_test1"/>
         </s:dict>
       </s:key>
       <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
       <s:key name="restartSplunkWeb">0</s:key>
       <s:key name="restartSplunkd">0</s:key>
       <s:key name="stateOnClient">enabled</s:key>
       <s:key name="whitelist-size">1</s:key>
       <s:key name="whitelist.0">Ombra*</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



deployment/server/serverclasses POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/serverclasses -d name=sc_apps_ombra
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>serverclasses</title>
 <id>https://localhost:8089/services/deployment/server/serverclasses</id>
 <updated>2013-08-10T13:18:28-07:00</updated>
 <generator build="176231" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/deployment/server/serverclasses/_new" rel="create"/>
 <link href="/services/deployment/server/serverclasses/rename" rel="rename"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>sc_apps_ombra</title>
   <id>https://localhost:8089/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_ombra</id>
   <updated>2013-08-10T13:18:28-07:00</updated>
   <link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_ombra" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_ombra" rel="list"/>
   <link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_ombra" rel="edit"/>
   <link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_ombra" rel="remove"/>
   <link href="/servicesNS/nobody/search/deployment/serverclasses/sc_apps_ombra/applications" rel="applications"/>
   <link href="/servicesNS/nobody/search/deployment/serverclasses/sc_apps_ombra/clients" rel="clients"/>
   <link href="/servicesNS/nobody/search/deployment/serverclasses/sc_apps_ombra/reload" rel="reload"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="blacklist-size">0</s:key>
       <s:key name="currentDownloads">0</s:key>
       ... opensearch nodes elided ...
       <s:key name="loadTime">1376165908</s:key>
       <s:key name="machineTypesFilter"></s:key>
       <s:key name="repositoryList">
         <s:dict>
           <s:key name="wma-app-test2"/>
           <s:key name="wma-app3"/>
           <s:key name="wma-app_test1"/>
         </s:dict>
       </s:key>
       <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
       <s:key name="restartSplunkWeb">0</s:key>
       <s:key name="restartSplunkd">0</s:key>
       <s:key name="stateOnClient">enabled</s:key>
       <s:key name="whitelist-size">0</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



deployment/server/serverclasses/rename POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/serverclasses/rename -d oldName=sc_apps_ombra -d newName=sc_apps_shadow
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>serverclasses</title>
 <id>https://localhost:8089/services/deployment/server/serverclasses</id>
 <updated>2013-10-09T08:54:09-07:00</updated>
 <generator build="176231" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/deployment/server/serverclasses/_new" rel="create"/>
 <link href="/services/deployment/server/serverclasses/rename" rel="rename"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>sc_apps_shadow</title>
   <id>https://localhost:8089/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_shadow</id>
   <updated>2013-10-09T08:54:09-07:00</updated>
   <link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_shadow" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_shadow" rel="list"/>
   <link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_shadow" rel="edit"/>
   <link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_shadow" rel="remove"/>
   <link href="/servicesNS/nobody/search/deployment/serverclasses/sc_apps_shadow/applications" rel="applications"/>
   <link href="/servicesNS/nobody/search/deployment/serverclasses/sc_apps_shadow/clients" rel="clients"/>
   <link href="/servicesNS/nobody/search/deployment/serverclasses/sc_apps_shadow/reload" rel="reload"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="blacklist-size">0</s:key>
       <s:key name="currentDownloads">0</s:key>
       ... eai:acl node elided ...
       <s:key name="loadTime">1381334049</s:key>
       <s:key name="machineTypesFilter"></s:key>
       <s:key name="repositoryList">
         <s:dict>
           <s:key name="tmp"/>
           <s:key name="wma-app-test2"/>
           <s:key name="wma-app3"/>
           <s:key name="wma-app_test1"/>
         </s:dict>
       </s:key>
       <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
       <s:key name="restartSplunkWeb">0</s:key>
       <s:key name="restartSplunkd">0</s:key>
       <s:key name="stateOnClient">enabled</s:key>
       <s:key name="whitelist-size">0</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



deployment/server/serverclasses/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/services/deployment/server/serverclasses/sc_apps_shadow
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>serverclasses</title>
 <id>https://localhost:8089/services/deployment/server/serverclasses</id>
 <updated>2013-10-09T09:13:27-07:00</updated>
 <generator build="176231" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/deployment/server/serverclasses/_new" rel="create"/>
 <link href="/services/deployment/server/serverclasses/rename" rel="rename"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>sc_apps_wma</title>
   <id>https://localhost:8089/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma</id>
   <updated>2013-10-09T09:13:27-07:00</updated>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="list"/>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="edit"/>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="remove"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_apps_wma/applications" rel="applications"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_apps_wma/clients" rel="clients"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_apps_wma/reload" rel="reload"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="blacklist-size">0</s:key>
       <s:key name="currentDownloads">0</s:key>
       ... eai:acl node elided ...
       <s:key name="loadTime">1381335207</s:key>
       <s:key name="machineTypesFilter"></s:key>
       <s:key name="repositoryList">
         <s:dict>
           <s:key name="tmp"/>
           <s:key name="wma-app-test2"/>
           <s:key name="wma-app3"/>
           <s:key name="wma-app_test1"/>
         </s:dict>
       </s:key>
       <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
       <s:key name="restartSplunkWeb">0</s:key>
       <s:key name="restartSplunkd">0</s:key>
       <s:key name="stateOnClient">enabled</s:key>
       <s:key name="whitelist-size">1</s:key>
       <s:key name="whitelist.0">Ombra*</s:key>
     </s:dict>
   </content>
 </entry>
 ... elided ...

</feed>



deployment/server/serverclasses/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/serverclasses/sc_mach_type
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>serverclasses</title>
 <id>https://localhost:8089/services/deployment/server/serverclasses</id>
 <updated>2013-08-04T19:19:34-07:00</updated>
 <generator build="172889" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/deployment/server/serverclasses/_new" rel="create"/>
 <link href="/services/deployment/server/serverclasses/rename" rel="rename"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>sc_mach_type</title>
   <id>https://localhost:8089/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type</id>
   <updated>2013-08-04T19:19:34-07:00</updated>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="list"/>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="edit"/>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="remove"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_mach_type/applications" rel="applications"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_mach_type/clients" rel="clients"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_mach_type/reload" rel="reload"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="blacklist-size">0</s:key>
       <s:key name="currentDownloads">0</s:key>
       ... eai:acl node elided ...
       <s:key name="eai:attributes">... elided ...</s:key>
       <s:key name="loadTime">1375467593</s:key>
       <s:key name="machineTypesFilter">linux-x86_64,</s:key>
       <s:key name="repositoryList">
         <s:dict>
           <s:key name="wma-app2"/>
           <s:key name="wma-app1"/>
         </s:dict>
       </s:key>
       <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
       <s:key name="restartSplunkWeb">0</s:key>
       <s:key name="restartSplunkd">0</s:key>
       <s:key name="stateOnClient">enabled</s:key>
       <s:key name="whitelist-size">1</s:key>
       <s:key name="whitelist.0">Ombra*</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



deployment/server/serverclasses/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/serverclasses/sc_apps_ombra -d stateOnClient=noop
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>serverclasses</title>
 <id>https://localhost:8089/services/deployment/server/serverclasses</id>
 <updated>2013-08-10T13:24:16-07:00</updated>
 <generator build="176231" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/deployment/server/serverclasses/_new" rel="create"/>
 <link href="/services/deployment/server/serverclasses/rename" rel="rename"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>sc_apps_ombra</title>
   <id>https://localhost:8089/services/deployment/server/serverclasses/sc_apps_ombra</id>
   <updated>2013-08-10T13:24:16-07:00</updated>
   <link href="/services/deployment/server/serverclasses/sc_apps_ombra" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/deployment/server/serverclasses/sc_apps_ombra" rel="list"/>
   <link href="/services/deployment/server/serverclasses/sc_apps_ombra" rel="edit"/>
   <link href="/services/deployment/server/serverclasses/sc_apps_ombra" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       ... opensearch nodes elided ...
     </s:dict>
   </content>
 </entry>

</feed>



search/distributed/bundle-replication-files GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/search/distributed/bundle-replication-files
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>search-head-bundles</title>
 <id>https://localhost:8089/services/search/distributed/bundle-replication-files</id>
 <updated>2013-10-09T09:42:51-07:00</updated>
 <generator build="176231" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>13134207368020721783</title>
   <id>https://localhost:8089/services/search/distributed/bundle-replication-files/13134207368020721783</id>
   <updated>2013-10-09T09:42:51-07:00</updated>
   <link href="/services/search/distributed/bundle-replication-files/13134207368020721783" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/search/distributed/bundle-replication-files/13134207368020721783" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="checksum">13134207368020721783</s:key>
       ... eai:acl node elided ...
       <s:key name="filename">localhost-1381336958.bundle</s:key>
       <s:key name="location">/opt/cluster/peer1/splunk/var/run/localhost-1381336958.bundle</s:key>
       <s:key name="timestamp">1381336958</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



search/distributed/bundle-replication-files/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/search/distributed/bundle-replication-files/13134207368020721783
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>search-head-bundles</title>
 <id>https://localhost:8089/services/search/distributed/bundle-replication-files</id>
 <updated>2013-10-09T10:07:17-07:00</updated>
 <generator build="176231" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>13134207368020721783</title>
   <id>https://localhost:8089/services/search/distributed/bundle-replication-files/13134207368020721783</id>
   <updated>2013-10-09T10:07:17-07:00</updated>
   <link href="/services/search/distributed/bundle-replication-files/13134207368020721783" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/search/distributed/bundle-replication-files/13134207368020721783" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="checksum">13134207368020721783</s:key>
       ... eai:acl node elided ...
       <s:key name="eai:attributes">... elided ...</s:key>
       <s:key name="filename">localhost-1381336958.bundle</s:key>
       <s:key name="location">/opt/cluster/peer1/splunk/var/run/localhost-1381336958.bundle</s:key>
       <s:key name="timestamp">1381336958</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



search/distributed/config GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/search/distributed/config
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>distsearch-setup</title>
 <id>https://localhost:8089/services/search/distributed/config</id>
 <updated>2011-07-10T23:21:51-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>distributedSearch</title>
   <id>https://localhost:8089/services/search/distributed/config/distributedSearch</id>
   <updated>2011-07-10T23:21:51-07:00</updated>
   <link href="/services/search/distributed/config/distributedSearch" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/search/distributed/config/distributedSearch" rel="list"/>
   <link href="/services/search/distributed/config/distributedSearch" rel="edit"/>
   <link href="/services/search/distributed/config/distributedSearch" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="autoAddServers">0</s:key>
       <s:key name="blacklistNames"/>
       <s:key name="blacklistURLs"/>
       <s:key name="checkTimedOutServersFrequency">60</s:key>
       <s:key name="disabled">0</s:key>
       <s:key name="dist_search_enabled">1</s:key>
       ... eai:acl node elided ...
       <s:key name="heartbeatFrequency">0</s:key>
       <s:key name="heartbeatMcastAddr">224.0.0.37</s:key>
       <s:key name="heartbeatPort">8888</s:key>
       <s:key name="removedTimedOutServers">0</s:key>
       <s:key name="serverTimeout">10</s:key>
       <s:key name="servers"/>
       <s:key name="shareBundles">1</s:key>
       <s:key name="skipOurselves">0</s:key>
       <s:key name="statusTimeout">10</s:key>
       <s:key name="ttl">1</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



search/distributed/peers GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/search/distributed/peers
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>distsearch-peer</title>
 <id>https://localhost:8089/services/search/distributed/peers</id>
 <updated>2011-07-11T18:21:48-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/search/distributed/peers/_new" rel="create"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>tiny:8090</title>
   <id>https://localhost:8089/services/search/distributed/peers/tiny%3A8090</id>
   <updated>2011-07-11T18:21:48-07:00</updated>
   <link href="/services/search/distributed/peers/tiny%3A8090" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/search/distributed/peers/tiny%3A8090" rel="list"/>
   <link href="/services/search/distributed/peers/tiny%3A8090" rel="edit"/>
   <link href="/services/search/distributed/peers/tiny%3A8090" rel="remove"/>
   <link href="/services/search/distributed/peers/tiny%3A8090/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="build"/>
       <s:key name="bundle_versions">
         <s:list/>
       </s:key>
       <s:key name="disabled">0</s:key>
       ... eai:acl node elided ...
       <s:key name="guid"/>
       <s:key name="is_https">1</s:key>
       <s:key name="licenseSignature"/>
       <s:key name="peerName">tiny:8090</s:key>
       <s:key name="peerType">configured</s:key>
       <s:key name="replicationStatus">Initial</s:key>
       <s:key name="status">Down</s:key>
       <s:key name="version"/>
     </s:dict>
   </content>
 </entry>

</feed>



search/distributed/peers POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/search/distributed/peers -d name=MrT:8092 -d remoteUsername=admin -d remotePassword=mypass
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>distsearch-peer</title>
 <id>https://localhost:8089/services/search/distributed/peers</id>
 <updated>2011-07-11T18:22:00-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/search/distributed/peers/_new" rel="create"/>
 ... opensearch nodes elided ...
 <s:messages/>

</feed>

Input endpoints

Input endpoint descriptions

Manage and preview input data, including:

data/inputs/ad


https://<host>:<mPort>/services/data/inputs/ad

Authentication: Not required

Description

Provides access to Active Directory monitoring input.

Method summary
Method Description Formats
GET Gets current active directory monitoring configuration. XML, JSON
POST Creates new or modifies existing performance monitoring settings. XML, JSON

GET data/inputs/ad method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
disabled Indicates whether this input is disabled.
index The index in which to store the gathered data.

If no value is present, send data to the default index.

monitorSubtree Indicates whether or not to monitor the subtrees of a given Active Directory tree path.
startingNode Tells Splunk Enterprise where in the Active Directory directory tree to start monitoring.

If not specified, Splunk Enterprise attempts to start at the root of the directory tree.

The user that you configure Splunk Enterprise to run as at installation determines where Splunk starts monitoring.

targetDc Fully qualified domain name of a valid, network-accessible Active Directory domain controller.

If not specified, Splunk Enterprise obtains the local computer DC by default, and binds to its root Distinguished Name (DN).


POST data/inputs/ad method detail

Example

Request parameters
Name Datatype Default Description
baseline Boolean Indicates whether to query baseline objects. Defaults to true.

Baseline objects are objects which currently reside in Active Directory and include previously deleted objects.

host String Docs-W8R2-Std7 Host name for the Active Directory Monitor.
index String default The index in which to store the gathered data.

If not specified defaults to the default index.

monitorSubtree
required
Number Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no.
name
required
String A unique name that represents a configuration or set of configurations for a specific domain controller.
printSchema Boolean Indicates whether to print the Active Directory schema. Defaults to true.
source String Source for data inputs.
sourcetype String Source type of data inputs.
startingNode String Where in the Active Directory directory tree to start monitoring. If not specified, attempts to start at the root of the directory tree.
targetDc String Specifies a fully qualified domain name of a valid, network-accessible domain controller. If not specified, Splunk Enterprise gets the local domain controller.
Response data keys

None

[ Top ]



data/inputs/ad/{name}


https://<host>:<mPort>/services/data/inputs/ad/{name}

Authentication: Not required

Description

Manage {name} active directory monitoring.

Method summary
Method Description Formats
DELETE Deletes a given active directory monitoring stanza. XML, JSON
GET Gets the current configuration for a given active directory monitoring stanza. XML, JSON
POST Modifies a given active directory monitoring stanza. XML, JSON

DELETE data/inputs/ad/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/inputs/ad/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
Attribute Description
disabled Indicates whether this input is disabled.
index The index in which to store the gathered data.

If no value is present, send data to the default index.

monitorSubtree Indicates whether or not to monitor the subtrees of a given Active Directory tree path.

POST data/inputs/ad/{name} method detail

Example

Request parameters
Name Datatype Default Description
baseline Boolean Indicates whether to query baseline objects. Defaults to true.

Baseline objects are objects which currently reside in Active Directory and include previously deleted objects.

host String Docs-W8R2-Std7 Host name for the Active Directory Monitor.
index String default The index in which to store the gathered data.

If not specified defaults to the default index.

monitorSubtree
required
Number Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no.
printSchema Boolean Indicates whether to print the Active Directory schema. Defaults to true.
source String Source for data inputs.
sourcetype String Source type of data inputs.
startingNode String Where in the Active Directory directory tree to start monitoring. If not specified, attempts to start at the root of the directory tree.
targetDc String Specifies a fully qualified domain name of a valid, network-accessible DC. If not specified, Splunk Enterprise gets the local computer's DC.
Response data keys

None

data/inputs/all


https://<host>:<mPort>/services/data/inputs/all

Authentication: Not required

Description

Provides access to all inputs to the Splunk Enterprise server. This includes any modular inputs that may be defined on the system.

Method summary
Method Description Formats
GET Lists all inputs, including modular inputs. XML, JSON

GET data/inputs/all method detail

Example

Request parameters
Name Datatype Default Description
common Boolean Indicates whether to return only attributes commom to all inputs. These common attributes are:
app
disabled
host
index
owner
source
sourcetype
title
updated

Pagination and filtering parameters can be used with this method.

Response data keys

None

Returns an <entry> for each input, where <content> lists attributes specific to the input.

[ Top ]



data/inputs/all/{name}


https://<host>:<mPort>/services/data/inputs/all/{name}

Authentication: Not required

Description

Get information about the {name} input source.

Method summary
Method Description Formats
GET Lists details for inputs for the input source specified by {name}. XML, JSON

GET data/inputs/all/{name} method detail

Example

Request parameters
Name Datatype Default Description
common Boolean Indicates whether to return only attributes commom to all inputs. These common attributes are:
app
disabled
host
index
owner
source
sourcetype
title
updated
Response data keys

None

[ Top ]



data/inputs/monitor


https://<host>:<mPort>/services/data/inputs/monitor

Authentication: Not required

Description

Provides access to monitor inputs.

Method summary
Method Description Formats
GET List enabled and disabled monitor inputs. XML, JSON
POST Create a new file or directory monitor input. XML, JSON

GET data/inputs/monitor method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
_TCP_ROUTING List of TCP forwarding groups, as specified in outputs.conf.
disabled Indicates if inputs monitoring is disabled.
filecount Number of files monitored.
host Name of the Splunk Enterprise host for which inputs are monitored.
index The index in which to store the gathered data.
sourcetype Source type being monitored.

The source type of an event is the format of the data input from which it originates, such as access_combined or cisco_syslog. The source type determines how Splunk Enterprise formats your data.


POST data/inputs/monitor method detail

Example

Request parameters
Name Datatype Default Description
blacklist String Specify a regular expression for a file path. The file path that matches this regular expression is not indexed.
check-index Boolean If set to true, the "index" value is checked to ensure that it is the name of a valid index.
check-path Boolean If set to true, the "name" value is checked to ensure that it exists.
crc-salt String A string that modifies the file tracking identity for files in this input. The magic value "<SOURCE>" invokes special behavior (see admin documentation).
disabled Boolean Indicates if input monitoring is disabled.
followTail Boolean If set to true, files that are seen for the first time is read from the end.
host String The value to populate in the host field for events from this data input.
host_regex String Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group.
host_segment Number Use the specified slash-separate segment of the filepath as the host field value.
ignore-older-than String Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored.
index String default Which index events from this input should be stored in.
name
required
String The file or directory path to monitor on the system.
recursive Boolean Setting this to "false" prevents monitoring of any subdirectories encountered within this data input.
rename-source String The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs.
sourcetype String The value to populate in the sourcetype field for incoming events.
time-before-close Number When Splunk Enterprise reaches the end of a file that is being read, the file is kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file is checked again for more data.
whitelist String Specify a regular expression for a file path. Only file paths that match this regular expression are indexed.
Response data keys

None

[ Top ]

pre>

</pre>

data/inputs/monitor/{name}


https://<host>:<mPort>/services/data/inputs/monitor/{name}

Authentication: Not required

Description

Manage the {name} monitor input.

Method summary
Method Description Formats
DELETE Disable the named monitor data input and remove it from the configuration. XML, JSON
GET List the properties of a single monitor data input. XML, JSON
POST Update properties of the named monitor input. XML, JSON

DELETE data/inputs/monitor/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/inputs/monitor/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
disabled Indicates if inputs monitoring is disabled.
filecount Number of files being monitored.
host Name of the Splunk Enterprise host for which inputs are monitored.
index The index events from this input should be stored in.

POST data/inputs/monitor/{name} method detail

Example

Request parameters
Name Datatype Default Description
blacklist String Specify a regular expression for a file path. The file path that matches this regular expression is not indexed.
check-index Boolean If set to true, the "index" value is checked to ensure that it is the name of a valid index.
check-path Boolean If set to true, the "name" value is checked to ensure that it exists.
crc-salt String A string that modifies the file tracking identity for files in this input. The magic value "<SOURCE>" invokes special behavior (see admin documentation).
disabled Boolean Indicates if input monitoring is disabled.
followTail Boolean If set to true, files that are seen for the first time is read from the end.
host String The value to populate in the host field for events from this data input.
host_regex String Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group.
host_segment Number Use the specified slash-separate segment of the filepath as the host field value.
ignore-older-than String Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored.
index String default Which index events from this input should be stored in.
recursive Boolean Setting this to "false" prevents monitoring of any subdirectories encountered within this data input.
rename-source String The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs.
sourcetype String The value to populate in the sourcetype field for incoming events.
time-before-close Number When Splunk Enterprise reaches the end of a file that is being read, the file is kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file is checked again for more data.
whitelist String Specify a regular expression for a file path. Only file paths that match this regular expression are indexed.
Response data keys

None

data/inputs/monitor/{name}/members


https://<host>:<mPort>/services/data/inputs/monitor/{name}/members

Authentication: Not required

Description

List {name} monitor input files.

Method summary
Method Description Formats
GET Lists all files monitored under the named monitor input. XML, JSON

GET data/inputs/monitor/{name}/members method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys

None

[ Top ]



data/inputs/oneshot


https://<host>:<mPort>/services/data/inputs/oneshot

Authentication: Not required

Description

Provides access to oneshot inputs.

Method summary
Method Description Formats
GET Enumerates in-progress oneshot inputs. As soon as an input is complete, it is removed from this list. XML, JSON
POST Queues a file for immediate indexing. The file must be locally accessible from the server. This endpoint can handle any single file: plain, compressed or archive. The file is indexed in full, regardless of whether or not it is already indexed. XML, JSON

GET data/inputs/oneshot method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
Bytes Indexed Total number of bytes read and sent to the pipeline for indexing during a oneshot input.

This total includes the uncompressed byte count from a source file that is compressed on disk.

Offset Current position in the source file, indicating how much of the file is read. For compressed source files, this offset represents the position in the compressed format.

You can obtain the percentage of a source file read by calculating offset/size.

Size Size of the source file, in bytes.

You can obtain the percentage of a source file read by calculating offset/size.

Sources Indexed Indicates the number of sources read from a file in a compressed format such as tar or zip.

A value of 0 indicates the source file was not compressed.

Spool Time Time that the request was made to read the source file.

POST data/inputs/oneshot method detail

Example

Request parameters
Name Datatype Default Description
host String The value of the "host" field to be applied to data from this file.
host_regex String A regex to be used to extract a "host" field from the path.

If the path matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group.

host_segment Number Use the specified slash-separate segment of the path as the host field value.
index String The destination index for data processed from this file.
name
required
String The path to the file to be indexed. The file must be locally accessible by the server.
rename-source String The value of the "source" field to be applied to data from this file.
sourcetype String The value of the "sourcetype" field to be applied to data from this file.
Response data keys

None

[ Top ]



data/inputs/oneshot/{name}


https://<host>:<mPort>/services/data/inputs/oneshot/{name}

Authentication: Not required

Description

Get information about the {name} one-shot input.

Method summary
Method Description Formats
GET Finds information about a single in-flight one shot input. This is a subset of the information in the full enumeration. XML, JSON

GET data/inputs/oneshot/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
Bytes Indexed Total number of bytes read and sent to the pipeline for indexing during a oneshot input.

This total includes the uncompressed byte count from a source file that is compressed on disk.

Offset Current position in the source file, indicating how much of the file is read. For compressed source files, this offset represents the position in the compressed format.

You can obtain the percentage of a source file read by calculating offset/size.

Size Size of the source file, in bytes.

You can obtain the percentage of a source file read by calculating offset/size.

Sources Indexed Indicates the number of sources read from a file in a compressed format such as tar or zip.

A value of 0 indicates the source file was not compressed.

Spool Time Time that the request was made to read the source file.

[ Top ]



data/inputs/registry


https://<host>:<mPort>/services/data/inputs/registry

Authentication: Not required

Description

Provides access to Windows registry monitoring input.

Method summary
Method Description Formats
GET Gets current registry monitoring configuration. XML, JSON
POST Creates new or modifies existing registry monitoring settings. XML, JSON

GET data/inputs/registry method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
baseline Indicates whether or not Splunk Enterprise should get a baseline of Registry events when it starts. Defaults to false.

If true, the input captures a baseline for the specified hive when the input starts for the first time.

disabled Indicats whether this input is disabled.
hive Regular expression for Registry hives that this input should monitor for Registry access.

Matches against the Registry key which was accessed.

Events that contain hives that do not match the regular expression get filtered out. Events that contain hives that match the regular expression pass through.

index Specifies the index that this input should send the data to.

If no value is present, defaults to the default index.

monitorSubnodes Indicates whether to monitor all Registry hives beneath the specified hive.
proc Regular expression for processes this input should monitor for Registry access.

It matches against the process name which performed the Registry access.

Events generated by processes that do not match the regular expression get filtered out. Events generated by processes that match the regular expression pass through.

type A regular expression that specifies the types of Registry events to monitor.

POST data/inputs/registry method detail

Example

Request parameters
Name Datatype Default Description
baseline
required
Number Specifies whether or not to establish a baseline value for the registry keys. 1 means yes, 0 no.
hive
required
String Specifies the registry hive under which to monitor for changes.
name
required
String Name of the configuration stanza.
proc
required
String Specifies a regex. If specified, collect changes if a process name matches that regex.
type
required
String A list of Registry events types that you want to monitor. Separate each type with a pipe ('|') character. For example,

set|create|delete|rename

disabled Number Indicates whether the monitoring is disabled.
index String default The index in which to store the gathered data.
monitorSubnodes Boolean True Indicates whether to monitor all Registry hives beneath the specified hive.
Response data keys

None

[ Top ]



data/inputs/registry/{name}


https://<host>:<mPort>/services/data/inputs/registry/{name}

Authentication: Not required

Description

Manage registry monitoring {name} stanza.

Method summary
Method Description Formats
DELETE Deletes registry monitoring configuration stanza. XML, JSON
GET Gets current registry monitoring configuration stanza. XML, JSON
POST Modifies given registry monitoring stanza. XML, JSON

DELETE data/inputs/registry/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/inputs/registry/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
baseline Indicates whether to get a baseline of Registry events when Splunk Enterprise starts.
disabled Indicates if the input is disabled.
hive Regular expression for Registry hives that this input should monitor for Registry access.

Matches against the Registry key which was accessed.

Events that contain hives that do not match the regular expression get filtered out. Events that contain hives that match the regular expression pass through.

index Specifies the index that this input should send the data to.

If no value is present, defaults to the default index.

monitorSubnodes Indicates whether to monitor all Registry hives beneath the specified hive.
proc Regular expression for processes this input should monitor for Registry access.

It matches against the process name which performed the Registry access.

Events generated by processes that do not match the regular expression get filtered out. Events generated by processes that match the regular expression pass through.

type Regular expression that specifies the types of Registry events to monitor.

POST data/inputs/registry/{name} method detail

Example

Request parameters
Name Datatype Default Description
baseline
required
Number Specifies whether or not to establish a baseline value for the registry keys. 1 means yes, 0 no.
hive
required
String Specifies the registry hive under which to monitor for changes.
proc
required
String Specifies a regex. If specified, collect changes if a process name matches that regex.
type
required
String A list of Registry events types that you want to monitor. Separate each type with a pipe ('|') character.

For example:

set|create|delete|rename

disabled Number Indicates whether the monitoring is disabled.
index String default The index in which to store the gathered data.
monitorSubnodes Boolean True Indicates whether to monitor all Registry hives beneath the specified hive.
Response data keys

None

[ Top ]



data/inputs/script


https://<host>:<mPort>/services/data/inputs/script

Authentication: Not required

Description

Provides access to scripted inputs.

Method summary
Method Description Formats
GET Gets the configuration settings for scripted inputs. XML, JSON
POST Configures settings for new scripted inputs. XML, JSON

GET data/inputs/script method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
disabled Specifies whether the input script is disabled.
endtime If available, the time when the script stopped executing.
group The name of the inputstatus group, which is always "exec commands."
host The host this data is identified with.
index Sets the index for events from this input. Defaults to the main index.
interval An integer or cron schedule.

Specifies how often to execute the specified script, in seconds or a valid cron schedule. For a cron schedule, the script is not executed on start-up.

source The source key/field for events from this input. Defaults to the input file path.

Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

sourcetype Sets the sourcetype key/field for events from this input. If unset, Splunk Enterprise picks a source type based on various aspects of the data. There is no hard-coded default.

For more information, see the documentation for the sourcetype parameter for the POST operation.

starttime If available, the time the when the script was executed.

POST data/inputs/script method detail

Example

Request parameters
Name Datatype Default Description
disabled Boolean Specifies whether the input script is disabled.
host String Sets the host for events from this input. Defaults to whatever host sent the event.
index String default Sets the index for events from this input. Defaults to the main index.
interval
required
Number 60.0 Specify an integer or cron schedule. This parameter specifies how often to execute the specified script, in seconds or a valid cron schedule. If you specify a cron schedule, the script is not executed on start-up.
name
required
String Specify the name of the scripted input.
passAuth String User to run the script as.

If you provide a username, Splunk Enterprise generates an auth token for that user and passes it to the script.

rename-source String Specify a new name for the source field for the script.
source String Sets the source key/field for events from this input. Defaults to the input file path.

Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieived. Consider use of source types, tagging, and search wildcards before overriding this value.


sourcetype String Sets the sourcetype key/field for events from this input. If unset, Splunk Enterprise picks a source type based on various aspects of the data. As a convenience, the chosen string is prepended with 'sourcetype::'. There is no hard-coded default.

Sets the sourcetype key initial value. The key is used during parsing/indexing, in particular to set the source type field during indexing. It is also the source type field used at search time.

Primarily used to explicitly declare the source type for this data, as opposed to allowing it to be determined using automated methods. This is typically important both for searchability and for applying the relevant configuration for this type of data during parsing and indexing.

Response data keys

None

[ Top ]



data/inputs/script/restart


https://<host>:<mPort>/services/data/inputs/script/restart

Authentication: Not required

Description

Allows for restarting scripted inputs.

Method summary
Method Description Formats
POST Causes a restart on a given scripted input. XML, JSON

POST data/inputs/script/restart method detail

Example

Request parameters
Name Datatype Default Description
script
required
String Path to the script to be restarted. This path must match an already-configured existing scripted input.
Response data keys

None

[ Top ]



data/inputs/script/{name}


https://<host>:<mPort>/services/data/inputs/script/{name}

Authentication: Not required

Description

Manage the {name} scripted input.

Method summary
Method Description Formats
DELETE Removes the scripted input specified by {name}. XML, JSON
GET Returns the configuration settings for the scripted input specified by {name}. XML, JSON
POST Configures settings for scripted input specified by {name}. XML, JSON

DELETE data/inputs/script/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/inputs/script/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
disabled Specifies whether the input script is disabled.
group The name of the inputstatus group, which is always "exec commands."
host The host this data is identified with.
index Sets the index for events from this input. Defaults to the main index.
interval An integer or cron schedule.

Specifies how often to execute the specified script, in seconds or a valid cron schedule. For a cron schedule, the script is not executed on start-up.


POST data/inputs/script/{name} method detail

Example

Request parameters
Name Datatype Default Description
disabled Boolean Specifies whether the input script is disabled.
host String Sets the host for events from this input. Defaults to whatever host sent the event.
index String default Sets the index for events from this input. Defaults to the main index.
interval Number 60.0 Specify an integer or cron schedule. This parameter specifies how often to execute the specified script, in seconds or a valid cron schedule. If you specify a cron schedule, the script is not executed on start-up.
passAuth String User to run the script as.

If you provide a username, Splunk Enterprise generates an auth token for that user and passes it to the script.

rename-source String Specify a new name for the source field for the script.
source String Sets the source key/field for events from this input. Defaults to the input file path.

Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieived. Consider use of source types, tagging, and search wildcards before overriding this value.


sourcetype String Sets the sourcetype key/field for events from this input. If unset, Splunk Enterprise picks a source type based on various aspects of the data. As a convenience, the chosen string is prepended with 'sourcetype::'. There is no hard-coded default.

Sets the sourcetype key initial value. The key is used during parsing/indexing, in particular to set the source type field during indexing. It is also the source type field used at search time.

Primarily used to explicitly declare the source type for this data, as opposed to allowing it to be determined using automated methods. This is typically important both for searchability and for applying the relevant configuration for this type of data during parsing and indexing.

Response data keys

None

[ Top ]



data/inputs/tcp/cooked


https://<host>:<mPort>/services/data/inputs/tcp/cooked

Authentication: Not required

Description

Provides access to TCP inputs from forwarders.

Forwarders can transmit three types of data: raw, unparsed, or parsed. Cooked data refers to parsed and unparsed formats.

Method summary
Method Description Formats
GET Returns information about all cooked TCP inputs. XML, JSON
POST Creates a new container for managing cooked data. XML, JSON

GET data/inputs/tcp/cooked method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
_rcvbuf [Deprecated]
disabled Indicates if the input is disabled.
group Set to 'listenerports' for listening ports.
host The default value to fill in for events lacking a host value.
index The index in which to store generated events.

POST data/inputs/tcp/cooked method detail

Example

Request parameters
Name Datatype Default Description
SSL Boolean If SSL is not already configured, error is returned
connection_host Enum ip Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk Enterprise system hostname.

Default value is ip.

disabled Boolean Indicates whether the input is disabled.
host String The default value to fill in for events lacking a host value.
name
required
Number The port number of this input.
restrictToHost String Restrict incoming connections on this port to the host specified here.
Response data keys

None

[ Top ]



data/inputs/tcp/cooked/{name}


https://<host>:<mPort>/services/data/inputs/tcp/cooked/{name}

Authentication: Not required

Description

Manage cooked TCP inputs for the {name} host or port.

Method summary
Method Description Formats
DELETE Removes the cooked TCP inputs for port or host:port specified by {name} XML, JSON
GET Returns information for the cooked TCP input specified by {name}. If port is restricted to a host, name should be URI-encoded host:port. XML, JSON
POST Updates the container for managing cooked data. XML, JSON

DELETE data/inputs/tcp/cooked/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/inputs/tcp/cooked/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
_rcvbuf [Deprecated]
disabled Indicates if the input is disabled.
group Set to 'listenerports' for listening ports.
host The default value to fill in for events lacking a host value.
index The index in which to store generated events.
restrictToHost Restrict incoming connections on this port to the specified host.

POST data/inputs/tcp/cooked/{name} method detail

Example

Request parameters
Name Datatype Default Description
SSL Boolean If SSL is not already configured, error is returned
connection_host Enum ip Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk Enterprise system hostname.

Default value is ip.

disabled Boolean Indicates whether the input is disabled.
host String The default value to fill in for events lacking a host value.
restrictToHost String Restrict incoming connections on this port to the host specified here.
Response data keys

None

[ Top ]



data/inputs/tcp/cooked/{name}/connections


https://<host>:<mPort>/services/data/inputs/tcp/cooked/{name}/connections

Authentication: Not required

Description

Get active connections to the {name} port.

Method summary
Method Description Formats
GET Retrieves list of active connections to the named port. XML, JSON

GET data/inputs/tcp/cooked/{name}/connections method detail

Example

Request parameters

None

Response data keys
Name Description
connection Identifies the connection to port.
servername Server name of forwarder connecting to this port.

[ Top ]



data/inputs/tcp/raw


https://<host>:<mPort>/services/data/inputs/tcp/raw

Authentication: Not required

Description

Container for managing raw tcp inputs from forwarders.

Forwarders can transmit three types of data: raw, unparsed, or parsed. Cooked data refers to parsed and unparsed formats.

Method summary
Method Description Formats
GET Returns information about all raw TCP inputs. XML, JSON
POST Creates a new data input for accepting raw TCP data. XML, JSON

GET data/inputs/tcp/raw method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
_rcvbuf [Deprecated]
disabled Indicates whether the inputs are disabled.
group Set to 'listenerports' for listening ports.
host The host from which the indexer gets data.
index The index in which to store generated events.

POST data/inputs/tcp/raw method detail

Example

Request parameters
Name Datatype Default Description
connection_host Enum dns Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk Enterprise system hostname.

Default value is ip.

disabled Boolean Indicates whether the inputs are disabled.
host String The host from which the indexer gets data.
index String default The index in which to store all generated events.
name
required
String The input port which splunk receives raw data in.
queue Enum Valid values: (parsingQueue | indexQueue)

Specifies where the input processor should deposit the events it reads. Defaults to parsingQueue.

Set queue to parsingQueue to apply props.conf and other parsing rules to your data. For more information about props.conf and rules for timestamping and linebreaking, refer to props.conf and the online documentation at Edit inputs.conf

Set queue to indexQueue to send your data directly into the index.

rawTcpDoneTimeout Number Specifies in seconds the timeout value for adding a Done-key. Default value is 10 seconds.

If a connection over the port specified by name remains idle after receiving data for specified number of seconds, it adds a Done-key. This implies the last event is completely received.

restrictToHost String Allows for restricting this input to only accept data from the host specified here.
SSL Boolean
source String Sets the source key/field for events from this input. Defaults to the input file path.

Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieved. Consider use of source types, tagging, and search wildcards before overriding this value.

sourcetype String Set the source type for events from this input.

"sourcetype=" is automatically prepended to <string>.

Defaults to audittrail (if signedaudit=true) or fschange (if signedaudit=false).

Response data keys

None

[ Top ]



data/inputs/tcp/raw/{name}


https://<host>:<mPort>/services/data/inputs/tcp/raw/{name}

Authentication: Not required

Description

Manage raw inputs for the {name} host or port.

Method summary
Method Description Formats
DELETE Removes the raw inputs for port or host:port specified by {name} XML, JSON
GET Returns information about raw TCP input port {name}. If port is restricted to a host, name should be URI-encoded host:port. XML, JSON
POST Updates the container for managing raw data. XML, JSON

DELETE data/inputs/tcp/raw/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/inputs/tcp/raw/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
_rcvbuf [Deprecated]
disabled Indicates whether the inputs are disabled.
group Set to 'listenerports' for listening ports.
host The host from which the indexer gets data.
index The index in which to store generated events.
restrictToHost Restrict incoming connections on this port to the specified host.

POST data/inputs/tcp/raw/{name} method detail

Example

Request parameters
Name Datatype Default Description
SSL Boolean
connection_host Enum dns Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk Enterprise system hostname.

Default value is ip.

disabled Boolean Indicates whether the inputs are disabled.
host String The host from which the indexer gets data.
index String default The index in which to store all generated events.
queue Enum Valid values: (parsingQueue | indexQueue)

Specifies where the input processor should deposit the events it reads. Defaults to parsingQueue.

Set queue to parsingQueue to apply props.conf and other parsing rules to your data. For more information about props.conf and rules for timestamping and linebreaking, refer to props.conf and the online documentation at Edit inputs.conf

Set queue to indexQueue to send your data directly into the index.

rawTcpDoneTimeout Number Specifies in seconds the timeout value for adding a Done-key. Default value is 10 seconds.

If a connection over the port specified by name remains idle after receiving data for specified number of seconds, it adds a Done-key. This implies the last event is completely received.

restrictToHost String Allows for restricting this input to only accept data from the host specified here.
source String Sets the source key/field for events from this input. Defaults to the input file path.

Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieved. Consider use of source types, tagging, and search wildcards before overriding this value.

sourcetype String Set the source type for events from this input.

"sourcetype=" is automatically prepended to <string>.

Defaults to audittrail (if signedaudit=true) or fschange (if signedaudit=false).

Response data keys

None

[ Top ]



data/inputs/tcp/raw/{name}/connections


https://<host>:<mPort>/services/data/inputs/tcp/raw/{name}/connections

Authentication: Not required

Description

Get active connections the the {name} host or port.

Method summary
Method Description Formats
GET View all connections to the named data input. XML, JSON

GET data/inputs/tcp/raw/{name}/connections method detail

Example

Request parameters

None

Response data keys
Name Description
connection IP address and port of the source connecting to this TCP input port.
servername DNS name of the source connecting to this TCP input port.

[ Top ]



data/inputs/tcp/ssl


https://<host>:<mPort>/services/data/inputs/tcp/ssl

Authentication: Not required

Description

Provides access to the SSL configuration of a Splunk Enterprise server.

Method summary
Method Description Formats
GET Returns SSL configuration. There is only one SSL configuration for all input ports. XML, JSON

GET data/inputs/tcp/ssl method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
_rcvbuf [Deprecated]
cipherSuite Specifies list of acceptable ciphers to use in ssl.
disabled Indicates whether this input is disabled.
host The host from which the indexer gets data.
index The index in which to store generated events.

[ Top ]



data/inputs/tcp/ssl/{name}


https://<host>:<mPort>/services/data/inputs/tcp/ssl/{name}

Authentication: Not required

Description

Manage SSL configuration for the {name} host.

Method summary
Method Description Formats
GET Returns the SSL configuration for the host {name}. XML, JSON
POST Configures SSL attributes for the host {name}. XML, JSON

GET data/inputs/tcp/ssl/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
_rcvbuf [Deprecated]
cipherSuite Specifies list of acceptable ciphers to use in ssl.
disabled Indicates whether this input is disabled.
host The host from which the indexer gets data.
index The index in which to store generated events.

POST data/inputs/tcp/ssl/{name} method detail

Example

Request parameters
Name Datatype Default Description
disabled Boolean Indicates whether the inputs are disabled.
password String Server certificate password, if any.
requireClientCert Boolean Determines whether a client must authenticate.
rootCA String Certificate authority list (root file)
serverCert String Full path to the server certificate.
Response data keys

None

[ Top ]



data/inputs/udp


https://<host>:<mPort>/services/data/inputs/udp

Authentication: Not required

Description

Provides access to UPD data inputs.

Method summary
Method Description Formats
GET List enabled and disabled UDP data inputs. XML, JSON
POST Create a new UDP data input. XML, JSON

GET data/inputs/udp method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
_rcvbuf Specifies socket receive buffer size in bytes.
disabled Indicates whether the inputs are disabled.
group Set to 'listenerports' for listening ports.
host The host from which the indexer gets data.
index The index in which to store generated events.

POST data/inputs/udp method detail

Example

Request parameters
Name Datatype Default Description
connection_host Enum ip Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk Enterprise system hostname.

Default value is ip.

disabled Boolean Indicates if the input is disabled.
host String The value to populate in the host field for incoming events.

This is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time.

index String default Which index events from this input should be stored in.
name
required
String The UDP port that this input should listen on.
no_appending_timestamp Boolean If set to true, prevents Splunk Enterprise from prepending a timestamp and hostname to incoming events.
no_priority_stripping Boolean If set to true, Splunk Enterprise does remove the priority field from incoming syslog events.
queue String Which queue events from this input should be sent to. Generally this does not need to be changed.
restrictToHost String Restrict incoming connections on this port to the host specified here.

If this is not set, the value specified in [udp://<remote server>:<port>] in inputs.conf is used.

source String The value to populate in the source field for incoming events. The same source should not be used for multiple data inputs.
sourcetype String The value to populate in the sourcetype field for incoming events.
Response data keys

None

[ Top ]



data/inputs/udp/{name}


https://<host>:<mPort>/services/data/inputs/udp/{name}

Authentication: Not required

Description

Manage the {name} UDP host or port.

Method summary
Method Description Formats
DELETE Disable the named UDP data input and remove it from the configuration. XML, JSON
GET List the properties of a single UDP data input port or host:port {name}. If port is restricted to a host, name should be URI-encoded host:port. XML, JSON
POST Edit properties of the named UDP data input. XML, JSON

DELETE data/inputs/udp/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/inputs/udp/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
_rcvbuf Specifies socket receive buffer size in bytes.
disabled Indicates whether the inputs are disabled.
group Set to 'listenerports' for listening ports.
host The host from which the indexer gets data.
index The index in which to store generated events.

POST data/inputs/udp/{name} method detail

Example

Request parameters
Name Datatype Default Description
connection_host Enum ip Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk Enterprise system hostname.

Default value is ip.

disabled Boolean Indicates if the input is disabled.
host String The value to populate in the host field for incoming events.

This is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time.

index String default Which index events from this input should be stored in.
no_appending_timestamp Boolean If set to true, prevents Splunk Enterprise from prepending a timestamp and hostname to incoming events.
no_priority_stripping Boolean If set to true, Splunk Enterprise does remove the priority field from incoming syslog events.
queue String Which queue events from this input should be sent to. Generally this does not need to be changed.
restrictToHost String Restrict incoming connections on this port to the host specified here.

If this is not set, the value specified in [udp://<remote server>:<port>] in inputs.conf is used.

source String The value to populate in the source field for incoming events. The same source should not be used for multiple data inputs.
sourcetype String The value to populate in the sourcetype field for incoming events.
Response data keys

None

[ Top ]



data/inputs/udp/{name}/connections


https://<host>:<mPort>/services/data/inputs/udp/{name}/connections

Authentication: Not required

Description

List connections to the {name} host or port.

Method summary
Method Description Formats
GET Lists connections to the named UDP input. XML, JSON

GET data/inputs/udp/{name}/connections method detail

Example

Request parameters

None

Response data keys
Name Description
disabled Indicates whether the inputs are disabled.
group Set to 'listenerports' for listening ports.

[ Top ]



data/inputs/win-event-log-collections


https://<host>:<mPort>/services/data/inputs/win-event-log-collections

Authentication: Not required

Description

Provides access to all configured event log collections.

Method summary
Method Description Formats
GET Retrieves a list of configured event log collections. XML, JSON
POST Creates of modifies existing event log collection settings. You can configure both native and WMI collection with this endpoint. XML, JSON

GET data/inputs/win-event-log-collections method detail

Example

Request parameters
Name Datatype Default Description
lookup_host String For internal use. Used by the UI when editing the initial host from which we gather event log data.

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
disabled Indicates if the input is disabled.
hosts The hosts that you are monitoring.
index The index in which to store the gathered data.

If not specified defaults to the default index.

logs List of event log channels to monitor.

POST data/inputs/win-event-log-collections method detail

Example

Request parameters
Name Datatype Default Description
hosts String A comma-separated list of additional hosts to be used for monitoring. The first host should be specified with "lookup_host", and the additional ones using this parameter.
index String default The index in which to store the gathered data.
logs String List of event log names from which to gather data:
  • WMI collection format (CSV) example:
    logs=Application%2CSystem%2CSetup%2CSecurity
  • Native event log collection format example:
    logs=Application&logs=System&logs=Setup
lookup_host
required
String The host from which to monitor log events. To specify additional hosts to be monitored using WMI, use the "hosts" parameter.
name
required
String This is the name of the collection. This name appears in configuration file, as well as the source and the sourcetype of the indexed data. If the value is "localhost", it uses native event log collection; otherwise, it uses WMI.
Response data keys
Name Description
disabled Indicates if the input is disabled.
hosts The hosts that you are monitoring.
index The index in which to store the gathered data.
logs List of event log channels to monitor.
lookup_host The host from which to monitor log events.
name The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is "localhost", it uses native event log collection; otherwise, it uses WMI

[ Top ]



data/inputs/win-event-log-collections/{name}


https://<host>:<mPort>/services/data/inputs/win-event-log-collections/{name}

Authentication: Not required

Description

Manage the {name} Windows event log.

Method summary
Method Description Formats
DELETE Deletes a given event log collection. XML, JSON
GET Gets the configuration settings for a given event log collection. XML, JSON
POST Modifies existing event log collection. XML, JSON

DELETE data/inputs/win-event-log-collections/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/inputs/win-event-log-collections/{name} method detail

Example

Request parameters
Name Datatype Default Description
lookup_host String For internal use. Used by the UI when editing the initial host from which we gather event log data.
Response data keys
Name Description
disabled Indicates if the input is disabled.
hosts The hosts that you are monitoring.
index The index in which to store the gathered data.

If not specified defaults to the default index.

logs List of event log channels to monitor.
lookup_host The host from which to monitor log events.
name The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI.

POST data/inputs/win-event-log-collections/{name} method detail

Example

Request parameters
Name Datatype Default Description
hosts String A comma-separated list of additional hosts to be used for monitoring. The first host should be specified with "lookup_host", and the additional ones using this parameter.
index String default The index in which to store the gathered data.
logs String A comma-separated list of event log names to gather data from.
lookup_host
required
String This is a host from which we monitor log events. To specify additional hosts to be monitored using WMI, use the "hosts" parameter.
Response data keys
Name Description
disabled Indicates if the input is disabled.
hosts The hosts that you are monitoring.
index The index in which to store the gathered data.
logs List of event log channels to monitor.
lookup_host The host from which to monitor log events.
name The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI.

[ Top ]



data/inputs/win-wmi-collections


https://<host>:<mPort>/services/data/inputs/win-wmi-collections

Authentication: Not required

Description

Provides access to all configured WMI collections.

Method summary
Method Description Formats
GET Provides access to all configure WMI collections. XML, JSON
POST Creates or modifies existing WMI collection settings. XML, JSON

GET data/inputs/win-wmi-collections method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
class The WMI performance object class being monitored.
disabled Indicates whther the input is disbled.
fields The WMI performance counters being monitored.
index The index to which you are sending input data.
instances Instances of the WMI performance counter.
interval The interval, in seconds, at which the WMI provider(s) are queried.
name the name of the input.
server The server you are monitoring.
wql The actual WQL query for monitoring the performance object.

POST data/inputs/win-wmi-collections method detail

Example

Request parameters
Name Datatype Default Description
classes
required
String A valid WMI class name.
disabled Number 0 Disables the given collection.
fields String 1. * Properties (fields) that you want to gather from the given class.

Specify each property as a separate argument to the POST operation.

index String default The index in which to store the gathered data.
instances String empty Instances of a given class for which data is gathered.

Specify each instance as a separate argument to the POST operation.

interval
required
Number The interval, in seconds, at which the WMI provider(s) is queried.
lookup_host
required
String This is the server from which we is gathering WMI data. If you need to gather data from more than one machine, additional servers can be specified in the 'server' parameter.
name
required
String This is the name of the collection. This name appears in configuration file, as well as the source and the sourcetype of the indexed data.
server String localhost A comma-separated list of additional servers that you want to gather data from. Use this if you need to gather from more than a single machine. See also lookup_host.
Response data keys
Name Description
classes A valid WMI class name.
disabled Indicates if the input is disabled.
fields Properties (fields) that you want to gather from the given class.
index The index in which to store the gathered data.
instances Instances of a given class for which data is gathered.
interval The interval, in seconds, at which the WMI provider(s) is queried.
lookup_host The host from which to monitor log events.
server Servers from which to gather data. Used if you need to gather from more than a single machine. See also lookup_host.
wql The actual WQL query for monitoring the performance object.

[ Top ]



data/inputs/win-wmi-collections/{name}


https://<host>:<mPort>/services/data/inputs/win-wmi-collections/{name}

Authentication: Not required

Description

Manage the {name} WMI collection.

Method summary
Method Description Formats
DELETE Deletes a given collection. XML, JSON
GET Gets information about a single collection. XML, JSON
POST Modifies a given WMI collection. XML, JSON

DELETE data/inputs/win-wmi-collections/{name} method detail

Example

Request parameters

None

Response data keys

None

Application usage

The method returns HTTP status code = 400, if {name} does not exist.


GET data/inputs/win-wmi-collections/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
classes A valid WMI class name.
disabled Indicates if the input is disabled.
fields Properties (fields) that you want to gather from the given class.
index The index in which to store the gathered data.
instances Instances of a given class for which data is gathered.
interval The interval, in seconds, at which the WMI provider(s) is queried.
lookup_host The host from which to monitor log events.
name The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI.
server Servers frpm which to gather data from. Used if you need to gather from more than a single machine. See also lookup_host.
wql The actual WQL query for monitoring the performance object.

POST data/inputs/win-wmi-collections/{name} method detail

Example

Request parameters
Name Datatype Default Description
classes
required
String A valid WMI class name.
disabled Number Disables the given collection.
fields String Properties (fields) that you want to gather from the given class.

Specify each property as a separate argument to the POST operation.

index String The index in which to store the gathered data.
instances String Instances of a given class for which data is gathered.

Specify each instance as a separate argument to the POST operation.

interval
required
Number The interval, in seconds, at which the WMI provider(s) is queried.
lookup_host
required
String This is the server from which we is gathering WMI data. If you need to gather data from more than one machine, additional servers can be specified in the 'server' parameter.
server String A comma-separated list of additional servers that you want to gather data from. Use this if you need to gather from more than a single machine. See also lookup_host parameter.
Response data keys
Name Description
classes A valid WMI class name.
disabled Indicates if the input is disabled.
fields Properties (fields) that you want to gather from the given class.
index The index in which to store the gathered data.
instances Instances of a given class for which data is gathered.
interval The interval, in seconds, at which the WMI provider(s) are queried.
lookup_host The host from which to monitor log events.
name The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI.
server Servers from which to gather data. Used if you need to gather from more than a single machine. See also lookup_host.
wql The actual WQL query for monitoring the performance object.

[ Top ]



data/inputs/win-perfmon


https://<host>:<mPort>/services/data/inputs/win-perfmon

Authentication: Not required

Description

Provides access to performance monitoring configuration. This input allows you to poll Windows performance monitor counters.

Method summary
Method Description Formats
GET Gets current performance monitoring configuration. XML, JSON
POST Creates new or modifies existing performance monitoring collection settings. XML, JSON

GET data/inputs/win-perfmon method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
counters List of valid Performance Monitor counters.
disabled Indicates whether the input is disabled.
index The index that this input should send data to.

If no value is present, send data to the default index.

instances List of valid instances for a Performance Monitor counter.
interval How often, in seconds, to poll for new data.
object A valid Performance Monitor object as defined within Performance Monitor.

POST data/inputs/win-perfmon method detail

Example

Request parameters
Name Datatype Default Description
counters String A set of counters to monitor. A '*' is equivalent to all counters.

Specify each counter as a separate argument to the POST operation.

host String Docs-W8R2-Std7 Name of the host for the Windows Performance Monitor.
index String default The index in which to store the gathered data.
instances String A set of counter instances to monitor. A '*' is equivalent to all instances.

Specify each instance as a separate argument to the POST operation.

interval Number How frequently, in seconds, to poll for new data.
name
required
String This is the name of the collection. This name appears in configuration file, as well as the source and the sourcetype of the indexed data.
object String A valid performance monitor object (for example, 'Process,' 'Server,' 'PhysicalDisk.')
source String Source for inputs.
sourcetype String Source type of input.
Response data keys
Name Description
counters List of valid Performance Monitor counters.
disabled Indicates whether the input is disabled.
host Name of the host for the Windows Performance Monitor.
index The index that this input should send data to.

If no value is present, send data to the default index.

instances List of valid instances for a Performance Monitor counter.
interval How frequently, in seconds, to poll for new data.
object A valid Performance Monitor object as defined within Performance Monitor.
source Source for inputs.
sourcetype Source type of the input.

[ Top ]



data/inputs/win-perfmon/{name}


https://<host>:<mPort>/services/data/inputs/win-perfmon/{name}

Authentication: Not required

Description

Manage the {name} performance monitoring stanza.

Method summary
Method Description Formats
DELETE Deletes a given monitoring stanza. XML, JSON
GET Gets settings for a given perfmon stanza. XML, JSON
POST Modifies existing monitoring stanza XML, JSON

DELETE data/inputs/win-perfmon/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/inputs/win-perfmon/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
counters List of valid Performance Monitor counters.
disabled Indicates whether the input is disabled.
index The index that this input should send data to.

If no value is present, send data to the default index.

instances List of valid instances for a Performance Monitor counter.
interval How often, in seconds, to poll for new data.
object A valid Performance Monitor object as defined within Performance Monitor.

POST data/inputs/win-perfmon/{name} method detail

Example

Request parameters
Name Datatype Default Description
counters String A set of counters to monitor. A '*' is equivalent to all counters.

Specify each counter as a separate argument to the POST operation.

host String Docs-W8R2-Std7 Name of the host for the Windows Performance Monitor.
index String default The index in which to store the gathered data.
instances String A set of counter instances to monitor. A '*' is equivalent to all instances.

Specify each instance as a separate argument to the POST operation.

interval Number How frequently, in seconds, to poll for new data.
object String A valid performance monitor object (for example, 'Process,' 'Server,' 'PhysicalDisk.')
source String Source for inputs.
sourcetype String Source type of input.
Response data keys
Name Description
counters List of valid Performance Monitor counters.
disabled Indicates whether the input is disabled.
host Name of the host for the Windows Performance Monitor.
index The index that this input should send data to.

If no value is present, send data to the default index.

instances List of valid instances for a Performance Monitor counter.
interval How frequently, in seconds, to poll for new data.
object A valid Performance Monitor object as defined within Performance Monitor,
source Source for inputs.
sourcetype Source type of the input.

[ Top ]



data/modular-inputs


https://<host>:<mPort>/services/data/modular-inputs

Authentication: Not required

Description

Provides access to currently defined modular inputs on the system.

Method summary
Method Description Formats
GET Lists information about configured modular inputs. XML, JSON

GET data/modular-inputs method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
description Provides descriptive text for title in the Splunk Manager page for Data inputs.

The description also appears on the Add new data inputs Manager page.

For more information, refer to Modular inputs: Introspection scheme details.

endpoint Contains one or more <arg> elements, which define the parameters to an endpoint.

For more information, refer to Modular inputs: Introspection scheme details.

streaming_mode Indicates the streaming mode for the modular input.

Valid values:

xml
simple

For more information, refer to Modular inputs: Introspection scheme details.

title The label for a modular input script.

The label appears in the Splunk Manager page for Data inputs.

For more information, refer to Modular inputs: Introspection scheme details.

Application usage

For more information on modular inputs, see Modular inputs overview in the Developing Views and Apps for Splunk Web manual.

[ Top ]



data/modular-inputs/{name}


https://<host>:<mPort>/services/data/modular-inputs/{name}

Authentication: Not required

Description

Get information about the {name} modular input.

Method summary
Method Description Formats
GET Lists information about the modular input specified by {name}. XML, JSON

GET data/modular-inputs/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
description The label for a modular input script.

The label appears in the Splunk Manager page for Data inputs.

For more information, refer to Modular inputs: Introspcetion scheme details.

endpoint Contains one or more <arg> elements, which define the parameters to an endpoint.

For more information, refer to Modular inputs: Introspcetion scheme details.

streaming_mode Indicates the streaming mode for the modular input.

Valid values:

xml
simple (plain text)

Contains one or more <arg> elements, which define the parameters to an endpoint.

For more information, refer to Modular inputs: Introspcetion scheme details.

title The label for a modular input script.

The label appears in the Splunk Manager page for Data inputs.

For more information, refer to Modular inputs: Introspection scheme details.

Application usage

For more information on modular inputs, see Modular inputs overview in the Developing Views and Apps for Splunk Web manual.

[ Top ]



indexing/preview


https://<host>:<mPort>/services/indexing/preview

Authentication: Not required

Description

Preview events from a source file before you index the file.

Method summary
Method Description Formats
GET Return a list of all data preview jobs. Data returned includes the Splunk Enterprise management URI to access each preview job. XML, JSON
POST Create a preview data job for the specified source file, returning the preview data job ID. XML, JSON

GET indexing/preview method detail

Example

Request parameters

None

Response data keys

None

Application usage

ou can also check the status of a data preview job with GET /search/jobs/{search_id} to obtain information such as the dispatchState, doneProgress, and eventCount. For more information, see GET /search/jobs/{search_id}.

Use the data preview job ID as the search_id parameter in GET /search/jobs/{search_id}/results_preview to preview events from the source file.

Data returned includes the Splunk Enterprise management URI for each data preview job.


POST indexing/preview method detail

Example

Request parameters
Name Datatype Default Description
input.path
required
String The absolute file path to a local file that you want to preview data returned from indexing.
props.<props_attr> String Define a new sourcetype in props.conf for preview data that you are indexing.

Typically, you first examine preview data events returned from GET /search/jobs/{job_id}events. Then you define new sourcetypes as needed with this endpoint.

Response data keys

None

Application usage

Use the POST operation of this endpoint to create a data preview job and return the corresponding data preview job ID.

Use the preview job ID as the search_id parameter in GET /search/jobs/{search_id}/results_preview to obtain a data preview.

You can optionally define sourcetypes for preview data job in props.conf.

[ Top ]



indexing/preview/{job_id}


https://<host>:<mPort>/services/indexing/preview/{job_id}

Authentication: Not required

Description

Get props.conf file settings for the {job_id} job.

Method summary
Method Description Formats
GET Returns the props.conf settings for the data preview job specified by {job_id}. XML, JSON

GET indexing/preview/{job_id} method detail

Example

Request parameters

None

Response data keys

None

[ Top ]



receivers/simple


https://<host>:<mPort>/services/receivers/simple

Authentication: Not required

Description

Allows for sending events to Splunk Enterprise in an HTTP request.

Method summary
Method Description Formats
POST Create events from the contents contained in the HTTP body. XML, JSON

POST receivers/simple method detail

Example

Request parameters
Name Datatype Default Description
<arbitrary_data>
required
String Raw event text. This is the entirety of the HTTP request body.
host String The value to populate in the host field for events from this data input.
host_regex String A regular expression used to extract the host value from each event.
index String default The index to send events from this input to.
source String The source value to fill in the metadata for this input's events.
sourcetype String The sourcetype to apply to events from this input.
Response data keys

None

[ Top ]



receivers/stream


https://<host>:<mPort>/services/receivers/stream

Authentication: Not required

Description

Open a socket to receive streaming data.

Method summary
Method Description Formats
POST Create events from the stream of data following HTTP headers. XML, JSON

POST receivers/stream method detail

Example

Request parameters
Name Datatype Default Description
<data_stream>
required
String Raw event text. This does not need to be presented as a complete HTTP request, but can be streamed in as data is available.
host String The value to populate in the host field for events from this data input.
host_regex String A regular expression used to extract the host value from each event.
index String The index to send events from this input to.
source String The source value to fill in the metadata for this input's events.
sourcetype String The sourcetype to apply to events from this input.
Response data keys

None

Application usage

Data transfer continues until you enter <CTRL-C>.

For streaming connections, set streaming and x-splunk-input-mode arguments in the header.

[ Top ]

Input endpoint examples

data/inputs/ad GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/inputs/ad
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-admon</title>
  <id>https://10.1.5.157:8089/services/data/inputs/ad</id>
  <updated>2011-07-29T19:13:28-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/ad/_new" rel="create"/>
  <link href="/services/data/inputs/ad/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>NearestDC</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/ad/NearestDC</id>
    <updated>2011-07-29T19:13:28-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="edit"/>
    <link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="index">default</s:key>
        <s:key name="monitorSubtree">1</s:key>
        <s:key name="startingNode"/>
        <s:key name="targetDc"/>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/ad POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/inputs/ad -d monitorSubtree=0 -d name=newdc
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-admon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
  <updated>2011-07-29T19:14:57-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/ad/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-admon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
  <updated>2011-07-29T19:22:50-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/ad/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-admon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
  <updated>2011-07-29T19:18:18-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>newdc</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad/newdc</id>
    <updated>2011-07-29T19:18:18-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>disabled</s:item>
                <s:item>index</s:item>
                <s:item>startingNode</s:item>
                <s:item>targetDc</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>monitorSubtree</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="index">default</s:key>
        <s:key name="monitorSubtree">0</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/ad/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc -d monitorSubtree=1
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-admon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
  <updated>2011-07-29T19:20:16-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/all GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/inputs/all
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>all</title>
  <id>https://localhost:8089/services/data/inputs/all</id>
  <updated>2012-10-01T16:08:24-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/all/_new" rel="create"/>
  <link href="/services/data/inputs/all/_reload" rel="_reload"/>
  <link href="/services/data/inputs/all/restart" rel="restart"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title></title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/all/</id>
    <updated>2012-10-01T16:08:24-07:00</updated>
    <link href="/servicesNS/nobody/system/data/inputs/all/" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/all/" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/all//_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/all/" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/inputs/all//enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="cipherSuite">ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</s:key>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="host">splunks-ombra.sv.splunk.com</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>$SPLUNK_HOME/etc/splunk.version</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version</id>
    <updated>2012-10-01T16:08:24-07:00</updated>
    <link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_TCP_ROUTING">*</s:key>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="filecount">1</s:key>
        <s:key name="host">splunks-ombra.sv.splunk.com</s:key>
        <s:key name="index">_internal</s:key>
        <s:key name="sourcetype">splunk_version</s:key>
      </s:dict>
    </content>
  </entry>
   . . . elided ...
</feed>

data/inputs/all/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/inputs/all/twitter
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>all</title>
  <id>https://localhost:8089/services/data/inputs/all</id>
  <updated>2012-07-11T08:03:17-07:00</updated>
  <generator build="129290" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/all/restart" rel="restart"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>twitter</title>
    <id>https://localhost:8089/services/data/inputs/all/twitter</id>
    <updated>2012-07-11T08:03:17-07:00</updated>
    <link href="/services/data/inputs/all/twitter" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/inputs/all/twitter" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description">Get data from Twitter.</s:key>
        ... eai:acl nodes and eai:attribute nodes elided ...
        <s:key name="endpoint">
          <s:dict>
            <s:key name="args">
              <s:dict>
                <s:key name="name">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Name of the current feed using the user credentials supplied.</s:key>
                    <s:key name="order">0</s:key>
                    <s:key name="title">Twitter feed name</s:key>
                  </s:dict>
                </s:key>
                <s:key name="password">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Your twitter password</s:key>
                    <s:key name="order">2</s:key>
                    <s:key name="required_on_create">1</s:key>
                    <s:key name="required_on_edit">0</s:key>
                    <s:key name="title">Password</s:key>
                  </s:dict>
                </s:key>
                <s:key name="username">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Your Twitter ID.</s:key>
                    <s:key name="order">1</s:key>
                    <s:key name="required_on_create">1</s:key>
                    <s:key name="required_on_edit">0</s:key>
                    <s:key name="title">Twitter ID/Handle</s:key>
                  </s:dict>
                </s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="streaming_mode">simple</s:key>
        <s:key name="title">Twitter</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/monitor GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/inputs/monitor
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/services/data/inputs/monitor</id>
  <updated>2011-07-10T14:25:53-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/monitor/_new" rel="create"/>
  <link href="/services/data/inputs/monitor/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>$SPLUNK_HOME/etc/splunk.version</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version</id>
    <updated>2011-07-10T14:25:53-07:00</updated>
    <link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_TCP_ROUTING">*</s:key>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="filecount">1</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">_internal</s:key>
        <s:key name="sourcetype">splunk_version</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/monitor POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor -d name=/var/log
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
  <updated>2011-07-10T14:27:57-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/monitor/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
  <updated>2011-07-10T14:35:35-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/monitor/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
  <updated>2011-07-10T14:33:54-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>/var/log</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog</id>
    <updated>2011-07-10T14:33:54-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/members" rel="members"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>blacklist</s:item>
                <s:item>check-index</s:item>
                <s:item>check-path</s:item>
                <s:item>crc-salt</s:item>
                <s:item>followTail</s:item>
                <s:item>host</s:item>
                <s:item>host_regex</s:item>
                <s:item>host_segment</s:item>
                <s:item>ignore-older-than</s:item>
                <s:item>index</s:item>
                <s:item>recursive</s:item>
                <s:item>rename-source</s:item>
                <s:item>sourcetype</s:item>
                <s:item>time-before-close</s:item>
                <s:item>whitelist</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="filecount">108</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/monitor/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog -d recursive=false
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
  <updated>2011-07-10T14:35:28-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/monitor/{name}/members GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/members
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
  <updated>2011-07-10T14:34:28-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>/var/log/acpid</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid</id>
    <updated>2011-07-10T14:34:28-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
      </s:dict>
    </content>
  </entry>
  . . . elided . . .
</feed>

data/inputs/oneshot GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/inputs/oneshot
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>oneshotinput</title>
  <id>https://localhost:8089/services/data/inputs/oneshot</id>
  <updated>2011-07-08T01:48:04-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/oneshot/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>/var/log/distccd.log</title>
    <id>https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log</id>
    <updated>2011-07-08T01:48:04-07:00</updated>
    <link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Bytes Indexed">7200768</s:key>
        <s:key name="Offset">7200768</s:key>
        <s:key name="Size">449630160</s:key>
        <s:key name="Sources Indexed">0</s:key>
        <s:key name="Spool Time">Fri Jul  8 01:47:53 PDT 2011</s:key>
        ... eai:acl node elided ...
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/oneshot POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/inputs/oneshot -d name=/var/log/messages
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>oneshotinput</title>
  <id>https://localhost:8089/services/data/inputs/oneshot</id>
  <updated>2011-07-08T01:48:04-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/oneshot/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/oneshot/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>oneshotinput</title>
  <id>https://localhost:8089/services/data/inputs/oneshot</id>
  <updated>2011-07-08T01:49:20-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/oneshot/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>/var/log/messages</title>
    <id>https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages</id>
    <updated>2011-07-08T01:49:20-07:00</updated>
    <link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Bytes Indexed">114822</s:key>
        <s:key name="Offset">114822</s:key>
        <s:key name="Size">114822</s:key>
        <s:key name="Sources Indexed">0</s:key>
        <s:key name="Spool Time">Fri Jul  8 01:48:04 PDT 2011</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/registry GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/inputs/registry
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-regmon</title>
  <id>https://10.1.5.157:8089/services/data/inputs/registry</id>
  <updated>2011-07-29T19:31:32-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/registry/_new" rel="create"/>
  <link href="/services/data/inputs/registry/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>Machine keys</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry/Machine%20keys</id>
    <updated>2011-07-29T19:31:32-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="baseline">0</s:key>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="hive">HKLM</s:key>
        <s:key name="index">default</s:key>
        <s:key name="monitorSubnodes">1</s:key>
        <s:key name="proc">c:\.*</s:key>
        <s:key name="type">
          <s:list>
            <s:item>set</s:item>
            <s:item>create</s:item>
            <s:item>delete</s:item>
            <s:item>rename</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/registry POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry -d baseline=1 -d hive="HKU\\.*" -d name=mykeys -d proc="c:\\.*" -d type="set|create|delete|rename"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-regmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
  <updated>2011-07-29T19:29:18-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/registry/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-regmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
  <updated>2011-07-29T19:36:54-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/registry/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-regmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
  <updated>2011-07-29T19:33:21-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>mykeys</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry/mykeys</id>
    <updated>2011-07-29T19:33:21-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="baseline">1</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>disabled</s:item>
                <s:item>index</s:item>
                <s:item>monitorSubnodes</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>baseline</s:item>
                <s:item>hive</s:item>
                <s:item>proc</s:item>
                <s:item>type</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="hive">HKU</s:key>
        <s:key name="index">default</s:key>
        <s:key name="monitorSubnodes">1</s:key>
        <s:key name="proc">c:\.*</s:key>
        <s:key name="type">
          <s:list>
            <s:item>set</s:item>
            <s:item>create</s:item>
            <s:item>delete</s:item>
            <s:item>rename</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/registry/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys -d baseline=1 -d hive="HKU\\.*" -d proc="c:\\.*" -d type="set|create"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-regmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
  <updated>2011-07-29T19:36:07-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/script GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/inputs/script
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/services/data/inputs/script</id>
  <updated>2011-07-09T20:16:11-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/script/_new" rel="create"/>
  <link href="/services/data/inputs/script/_reload" rel="_reload"/>
  <link href="/services/data/inputs/script/restart" rel="restart"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>/Applications/splunk4.3/etc/apps/unix/bin/cpu.sh</title>
    <id>https://localhost:8089/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh</id>
    <updated>2011-07-09T20:16:11-07:00</updated>
    <link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="list"/>
    <link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="edit"/>
    <link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="endtime">Sat Jul  9 20:15:54 2011</s:key>
        <s:key name="group">exec commands</s:key>
        <s:key name="host">myhost.splunk.com</s:key>
        <s:key name="index">os</s:key>
        <s:key name="interval">30</s:key>
        <s:key name="source">cpu</s:key>
        <s:key name="sourcetype">cpu</s:key>
        <s:key name="starttime">Sat Jul  9 20:15:52 2011</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/script POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script -d name=/Applications/splunk4.3/etc/apps/myApp/bin/myScript.sh -d disabled=true -d interval=3600
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
  <updated>2011-07-09T20:25:17-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/script/restart POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script/restart -d script=/Applications/splunk/bin/scripts/myScript.sh
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
  <updated>2011-07-09T20:38:38-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/script/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk4.3%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
  <updated>2011-07-09T20:29:18-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/script/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
  <updated>2011-07-09T21:53:43-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>/Applications/splunk/etc/apps/myApp/bin/myScript.sh</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh</id>
    <updated>2011-07-09T21:53:43-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>disabled</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>interval</s:item>
                <s:item>rename-source</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="group">exec commands</s:key>
        <s:key name="host">ombroso-mbp15.splunk.com</s:key>
        <s:key name="index">default</s:key>
        <s:key name="interval">3600</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/script/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh -d interval=86400
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
  <updated>2011-07-09T20:27:59-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/tcp/cooked GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/cooked
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>cooked</title>
  <id>https://localhost:8089/services/data/inputs/tcp/cooked</id>
  <updated>2011-07-10T14:50:50-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/services/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>9993</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9993</id>
    <updated>2011-07-10T14:50:50-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/tcp/cooked POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked -d name=9998
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-10T14:52:33-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/tcp/cooked/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/tiny:9998
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-10T14:54:45-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/tcp/cooked/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-10T14:52:40-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>9998</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998</id>
    <updated>2011-07-10T14:52:40-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>SSL</s:item>
                <s:item>connection_host</s:item>
                <s:item>disabled</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>queue</s:item>
                <s:item>restrictToHost</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/tcp/cooked/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998 -d restrictToHost=tiny
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-10T14:52:54-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/tcp/cooked/{name}/connections GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/connections
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-13T14:55:18-0700</updated>
  <generator version="101277"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>Cooked:9998:127.0.0.1:20089</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089</id>
    <updated>2011-07-13T14:55:18-0700</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="connection">9998:127.0.0.1:20089</s:key>
        ... eai:acl node elided ...
        <s:key name="servername">fool03.splunk.com</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/tcp/raw GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/raw
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>raw</title>
  <id>https://localhost:8089/services/data/inputs/tcp/raw</id>
  <updated>2011-07-08T02:30:30-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/services/data/inputs/tcp/raw/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>44000</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44000</id>
    <updated>2011-07-08T02:30:30-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/tcp/raw POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw -d name=44343
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>raw</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
  <updated>2011-07-08T02:30:30-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/tcp/raw/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>raw</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
  <updated>2011-07-08T02:30:31-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/tcp/raw/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>raw</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
  <updated>2011-07-08T02:37:09-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>44343</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343</id>
    <updated>2011-07-08T02:37:09-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>SSL</s:item>
                <s:item>connection_host</s:item>
                <s:item>disabled</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>queue</s:item>
                <s:item>restrictToHost</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/tcp/raw/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343 -d sourcetype=syslog
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>raw</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
  <updated>2011-07-08T02:30:30-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/tcp/raw/{name}/connections GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/raw/9998/connections
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>raw</title>
  <id>https://localhost:8089/services/data/inputs/tcp/raw</id>
  <updated>2011-07-13T16:14:33-07:00</updated>
  <generator version="103477"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/services/data/inputs/tcp/raw/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>Raw:9998:127.0.0.1</title>
    <id>https://localhost:8089/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1</id>
    <updated>2011-07-13T16:14:33-07:00</updated>
    <link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="list"/>
    <link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1/_reload" rel="_reload"/>
    <link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="edit"/>
    <link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="connection">9998:127.0.0.1</s:key>
        ... eai:acl node elided ...
        <s:key name="servername"></s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/tcp/ssl GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>ssl</title>
  <id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
  <updated>2011-07-12T15:02:58-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title/>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/tcp/ssl/</id>
    <updated>2011-07-12T15:02:58-07:00</updated>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl//_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="cipherSuite">ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</s:key>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="host">ombroso-mbp15.splunk.com</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/tcp/ssl/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl/ssl
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>ssl</title>
  <id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
  <updated>2011-07-12T15:04:41-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title/>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/tcp/ssl/</id>
    <updated>2011-07-12T15:04:41-07:00</updated>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl//_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="cipherSuite">ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</s:key>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="host">ombroso-mbp15.splunk.com</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/tcp/ssl/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl/ssl -d disabled=true
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>ssl</title>
  <id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
  <updated>2011-07-12T15:05:42-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/udp GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/inputs/udp
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>udp</title>
  <id>https://localhost:8089/services/data/inputs/udp</id>
  <updated>2011-07-08T14:11:57-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/udp/_new" rel="create"/>
  <link href="/services/data/inputs/udp/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>44000</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44000</id>
    <updated>2011-07-08T14:11:57-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/udp POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp -d name=44321
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-08T14:12:13-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/udp/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-08T14:12:53-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/udp/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-08T14:12:27-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>44321</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321</id>
    <updated>2011-07-08T14:12:27-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>connection_host</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>no_appending_timestamp</s:item>
                <s:item>no_priority_stripping</s:item>
                <s:item>queue</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/udp/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321 -d sourcetype=syslog
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-08T14:12:47-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/udp/{name}/connections GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/9998/connections
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-13T17:08:18-07:00</updated>
  <generator version="103477"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>127.0.0.1</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/127.0.0.1</id>
    <updated>2011-07-13T17:08:18-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="group">hosts</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/win-event-log-collections GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/inputs/win-event-log-collections
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-event-log-collections</title>
  <id>https://10.1.5.157:8089/services/data/inputs/win-event-log-collections</id>
  <updated>2011-07-27T11:26:47-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/win-event-log-collections/_new" rel="create"/>
  <link href="/services/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>localhost</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
    <updated>2011-07-27T11:26:47-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="hosts">localhost</s:key>
        <s:key name="index">default</s:key>
        <s:key name="logs">
          <s:list>
            <s:item>Application</s:item>
            <s:item>ForwardedEvents</s:item>
            <s:item>HardwareEvents</s:item>
            <s:item>Internet Explorer</s:item>
            <s:item>Security</s:item>
            <s:item>Setup</s:item>
            <s:item>System</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/win-event-log-collections POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections -d lookup_host=localhost -d name=mylogs -d logs=Application,System
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-event-log-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
  <updated>2011-07-27T11:56:24-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>localhost</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
    <updated>2011-07-27T11:56:24-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="hosts">localhost</s:key>
        <s:key name="index">default</s:key>
        <s:key name="logs">
          <s:list>
            <s:item>Application</s:item>
            <s:item>ForwardedEvents</s:item>
            <s:item>HardwareEvents</s:item>
            <s:item>Internet Explorer</s:item>
            <s:item>Security</s:item>
            <s:item>Setup</s:item>
            <s:item>System</s:item>
          </s:list>
        </s:key>
        <s:key name="lookup_host">localhost</s:key>
        <s:key name="name">localhost</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/win-event-log-collections/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-event-log-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
  <updated>2011-07-27T13:45:24-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/win-event-log-collections/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-event-log-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
  <updated>2011-07-27T12:00:38-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>mylogs</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs</id>
    <updated>2011-07-27T12:00:38-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>hosts</s:item>
                <s:item>index</s:item>
                <s:item>logs</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>lookup_host</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="hosts"/>
        <s:key name="index">default</s:key>
        <s:key name="logs">
          <s:list>
            <s:item>Application,System</s:item>
          </s:list>
        </s:key>
        <s:key name="lookup_host">localhost</s:key>
        <s:key name="name">mylogs</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/win-event-log-collections/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs -d lookup_host=localhost -d logs=Application
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-event-log-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
  <updated>2011-07-27T13:43:46-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>localhost</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
    <updated>2011-07-27T13:43:46-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="hosts">localhost</s:key>
        <s:key name="index">default</s:key>
        <s:key name="logs">
          <s:list>
            <s:item>Application</s:item>
            <s:item>ForwardedEvents</s:item>
            <s:item>HardwareEvents</s:item>
            <s:item>Internet Explorer</s:item>
            <s:item>Security</s:item>
            <s:item>Setup</s:item>
            <s:item>System</s:item>
          </s:list>
        </s:key>
        <s:key name="lookup_host">localhost</s:key>
        <s:key name="name">localhost</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/win-wmi-collections GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/inputs/win-wmi-collections
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-wmi-collections</title>
  <id>https://10.1.5.157:8089/services/data/inputs/win-wmi-collections</id>
  <updated>2011-07-27T14:00:24-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/win-wmi-collections/_new" rel="create"/>
  <link href="/services/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>CPUTime</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime</id>
    <updated>2011-07-27T14:00:24-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="edit"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="class">Win32_PerfFormattedData_PerfOS_Processor</s:key>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="fields">
          <s:list>
            <s:item>PercentProcessorTime</s:item>
            <s:item>PercentUserTime</s:item>
          </s:list>
        </s:key>
        <s:key name="index">default</s:key>
        <s:key name="instances">
          <s:list>
            <s:item>_Total</s:item>
          </s:list>
        </s:key>
        <s:key name="interval">3</s:key>
        <s:key name="name"/>
        <s:key name="server">localhost</s:key>
        <s:key name="wql">SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/win-wmi-collections POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections -d classes=Win32_PerfFormattedData_PerfOS_Processor -d interval=5 -d lookup_host=localhost -d name=cpu
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-wmi-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
  <updated>2011-07-27T14:05:43-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>CPUTime</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime</id>
    <updated>2011-07-27T14:05:43-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="index">default</s:key>
        <s:key name="interval">3</s:key>
        <s:key name="wql">SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/win-wmi-collections/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-wmi-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
  <updated>2011-07-27T14:21:17-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/win-wmi-collections/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-wmi-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
  <updated>2011-07-27T14:09:39-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>cpu</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu</id>
    <updated>2011-07-27T14:09:39-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="classes">Win32_PerfFormattedData_PerfOS_Processor</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>disabled</s:item>
                <s:item>fields</s:item>
                <s:item>index</s:item>
                <s:item>instances</s:item>
                <s:item>server</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>classes</s:item>
                <s:item>interval</s:item>
                <s:item>lookup_host</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="fields">
          <s:list>
            <s:item>*</s:item>
          </s:list>
        </s:key>
        <s:key name="index">default</s:key>
        <s:key name="instances">
          <s:list/>
        </s:key>
        <s:key name="interval">5</s:key>
        <s:key name="lookup_host">localhost</s:key>
        <s:key name="name">cpu</s:key>
        <s:key name="server"/>
        <s:key name="wql">Select * from Win32_PerfFormattedData_PerfOS_Processor</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/win-wmi-collections/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu -d classes=Win32_PerfFormattedData_PerfOS_Processor -d interval=5 -d lookup_host=localhost -d server=xx.1.5.157,10.1.5.158
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-wmi-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
  <updated>2011-07-27T14:15:33-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>cpu</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu</id>
    <updated>2011-07-27T14:15:33-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="classes">Win32_PerfFormattedData_PerfOS_Processor</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="fields">
          <s:list>
            <s:item>*</s:item>
          </s:list>
        </s:key>
        <s:key name="index">default</s:key>
        <s:key name="instances">
          <s:list/>
        </s:key>
        <s:key name="interval">5</s:key>
        <s:key name="lookup_host">localhost</s:key>
        <s:key name="name">cpu</s:key>
        <s:key name="server"/>
        <s:key name="wql">Select * from Win32_PerfFormattedData_PerfOS_Processor</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/win-perfmon GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/inputs/win-perfmon
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-perfmon</title>
  <id>https://10.1.5.157:8089/services/data/inputs/win-perfmon</id>
  <updated>2011-07-29T19:42:06-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/win-perfmon/_new" rel="create"/>
  <link href="/services/data/inputs/win-perfmon/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>Available Memory</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
    <updated>2011-07-29T19:42:06-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="counters">
          <s:list>
            <s:item>Available Bytes</s:item>
          </s:list>
        </s:key>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="index">default</s:key>
        <s:key name="instances">
          <s:list/>
        </s:key>
        <s:key name="interval">10</s:key>
        <s:key name="object">Memory</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/win-perfmon POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon -d interval=4 -d name=mymemory -d object=Memory
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-perfmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
  <updated>2011-07-29T19:40:38-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>Available Memory</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
    <updated>2011-07-29T19:40:38-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="counters">Available Bytes</s:key>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="instances"/>
        <s:key name="interval">10</s:key>
        <s:key name="object">Memory</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/win-perfmon/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-perfmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
  <updated>2011-07-29T19:47:06-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/inputs/win-perfmon/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-perfmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
  <updated>2011-07-29T19:44:21-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>mymemory</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory</id>
    <updated>2011-07-29T19:44:21-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="counters">
          <s:list/>
        </s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>counters</s:item>
                <s:item>disabled</s:item>
                <s:item>index</s:item>
                <s:item>instances</s:item>
                <s:item>interval</s:item>
                <s:item>object</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="index">default</s:key>
        <s:key name="instances">
          <s:list/>
        </s:key>
        <s:key name="interval">4</s:key>
        <s:key name="object">Memory</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/win-perfmon/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory -d interval=10
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-perfmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
  <updated>2011-07-29T19:45:59-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>Available Memory</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
    <updated>2011-07-29T19:45:59-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="counters">Available Bytes</s:key>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="instances"/>
        <s:key name="interval">10</s:key>
        <s:key name="object">Memory</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/modular-inputs GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/modular-inputs
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>modular-inputs</title>
  <id>https://localhost:8089/services/data/modular-inputs</id>
  <updated>2012-07-09T09:12:41-07:00</updated>
  <generator build="129290" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
   ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>s3</title>
    <id>https://localhost:8089/services/data/modular-inputs/s3</id>
    <updated>2012-07-09T09:12:41-07:00</updated>
    <link href="/services/data/modular-inputs/s3" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/modular-inputs/s3" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description">Get data from Amazon S3.</s:key>
        ... eai:acl node elided ...
        <s:key name="endpoint">
          <s:dict>
            <s:key name="args">
              <s:dict>
                <s:key name="key_id">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Your Amazon key ID.</s:key>
                    <s:key name="order">1</s:key>
                    <s:key name="required_on_create">1</s:key>
                    <s:key name="required_on_edit">0</s:key>
                    <s:key name="title">Key ID</s:key>
                  </s:dict>
                </s:key>
                <s:key name="name">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description"><![CDATA[An S3 resource name without the leading s3://.  For example, for s3://bucket/file.txt specify bucket/file.txt.  You can also monitor a whole bucket (for example by specifying 'bucket'), or files within a sub-directory of a bucket (for example 'bucket/some/directory/'; note the trailing slash).]]></s:key>
                    <s:key name="order">0</s:key>
                    <s:key name="title">Resource name</s:key>
                  </s:dict>
                </s:key>
                <s:key name="secret_key">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Your Amazon secret key.</s:key>
                    <s:key name="order">2</s:key>
                    <s:key name="required_on_create">1</s:key>
                    <s:key name="required_on_edit">0</s:key>
                    <s:key name="title">Secret key</s:key>
                  </s:dict>
                </s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="streaming_mode">xml</s:key>
        <s:key name="title">Amazon S3</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>twitter</title>
    <id>https://localhost:8089/services/data/modular-inputs/twitter</id>
    . . . elided . . .
  </entry>
</feed>

data/modular-inputs/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/modular-inputs/twitter
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>modular-inputs</title>
  <id>https://localhost:8089/services/data/modular-inputs</id>
  <updated>2012-07-09T11:07:29-07:00</updated>
  <generator build="129290" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>twitter</title>
    <id>https://localhost:8089/services/data/modular-inputs/twitter</id>
    <updated>2012-07-09T11:07:29-07:00</updated>
    <link href="/services/data/modular-inputs/twitter" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/modular-inputs/twitter" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description">Get data from Twitter.</s:key>
        ... eai:acl and eai:attribute nodes elided ...
        <s:key name="endpoint">
          <s:dict>
            <s:key name="args">
              <s:dict>
                <s:key name="name">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Name of the current feed using the user credentials supplied.</s:key>
                    <s:key name="order">0</s:key>
                    <s:key name="title">Twitter feed name</s:key>
                  </s:dict>
                </s:key>
                <s:key name="password">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Your twitter password</s:key>
                    <s:key name="order">2</s:key>
                    <s:key name="required_on_create">1</s:key>
                    <s:key name="required_on_edit">0</s:key>
                    <s:key name="title">Password</s:key>
                  </s:dict>
                </s:key>
                <s:key name="username">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Your Twitter ID.</s:key>
                    <s:key name="order">1</s:key>
                    <s:key name="required_on_create">1</s:key>
                    <s:key name="required_on_edit">0</s:key>
                    <s:key name="title">Twitter ID/Handle</s:key>
                  </s:dict>
                </s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="streaming_mode">simple</s:key>
        <s:key name="title">Twitter</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

indexing/preview GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/indexing/preview
XML Response

feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">

<title>preview</title>
 <id>https://localhost:8089/services/indexing/preview</id>
 <updated>2011-11-28T14:35:35-08:00</updated>
 <generator version="108769"/>
 <author>
   <name>Splunk</name>
 </author>
 <entry>
   <title>1322518170.8</title>
   <id>https://localhost:8089/services/indexing/preview/1322518170.8</id>
   <updated>2011-11-28T14:35:35-08:00</updated>
   <link href="/services/indexing/preview/1322518170.8" rel="alternate"/>
   <link href="/services/search/jobs/1322518170.8" rel="job"/>
 </entry>
 <entry>
   <title>1322519686.9</title>
   <id>https://localhost:8089/services/indexing/preview/1322519686.9</id>
   <updated>2011-11-28T14:35:35-08:00</updated>
   <link href="/services/indexing/preview/1322519686.9" rel="alternate"/>
   <link href="/services/search/jobs/1322519686.9" rel="job"/>
 </entry>
 <entry>
   <title>1322519724.10</title>
   <id>https://localhost:8089/services/indexing/preview/1322519724.10</id>
   <updated>2011-11-28T14:35:35-08:00</updated>
   <link href="/services/indexing/preview/1322519724.10" rel="alternate"/>
   <link href="/services/search/jobs/1322519724.10" rel="job"/>
 </entry>

</feed></pre>


indexing/preview POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/indexing/preview -d input.path=/Applications/splunk/var/log/splunk/metrics.log
XML Response

<response>

<messages>
   <msg type='INFO'>1319496093.11</msg>
 </messages>

</response>


indexing/preview/{job_id} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/indexing/preview/1319496093.11
XML Response

<entry xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>1319496093.11</title>
  <id>https://localhost:8089/services/indexing/preview/1319496093.11</id>
  <updated>2011-10-24T15:44:09-07:00</updated>
  <link href="/services/indexing/preview/1319496093.11" rel="alternate"/>
  <content type="text/xml">
    <s:dict>
      <s:key name="explicit">
        <s:dict>
          <s:key name="PREFERRED_SOURCETYPE">
            <s:dict>
              <s:key name="value">splunkd</s:key>
            </s:dict>
          </s:key>
        </s:dict>
      </s:key>
      <s:key name="inherited">
        <s:dict>
          <s:key name="ANNOTATE_PUNCT">
            <s:dict>
              <s:key name="value">True</s:key>
              <s:key name="stanza">default</s:key>
            </s:dict>
          </s:key>
          . . . elided . . .
          <s:key name="sourcetype">
            <s:dict>
              <s:key name="value">splunkd</s:key>
              <s:key name="stanza">source::.../var/log/splunk/metrics.log(.\d+)?</s:key>
            </s:dict>
          </s:key>
        </s:dict>
      </s:key>
    </s:dict>
  </content>
  <link href="/services/search/jobs/1319496093.11" rel="job"/>
</entry>

receivers/simple POST

XML
XML Request

curl -k -u admin:pass "https://localhost:8089/services/receivers/simple?source=www&sourcetype=web_event" -d "Sun Jul 10 15:56:02 PDT 2011   User myusername logged in successfully."
XML Response

<response>

<results>
   <result>
     <field k="_index">
       <value>
         <text>default</text>
       </value>
     </field>
     <field k="bytes">
       <value>
         <text>67</text>
       </value>
     </field>
     <field k="host">
       <value>
         <text>127.0.0.1</text>
       </value>
     </field>
     <field k="source">
       <value>
         <text>www</text>
       </value>
     </field>
     <field k="sourcetype">
       <value>
         <text>web_event</text>
       </value>
     </field>
   </result>
 </results>

</response>


receivers/stream POST

Python
Python Request

import httplib, time

conn = httplib.HTTPSConnection("localhost", 8089)
conn.connect()
conn.putrequest("POST", "/services/receivers/stream?source=www&sourcetype=web_data")
conn.putheader("Authorization", "Splunk 67bed982ce1af9ba2e393b15ed63c916")
conn.putheader("x-splunk-input-mode", "streaming")
conn.endheaders()

while True:

  conn.send("%s A sample event.\n" % time.asctime())
   time.sleep(1)


Python Response

Streamed data

Introspection endpoints

Introspection endpoint descriptions

Get information about the system.

data/index-volumes


https://<host>:<mPort>/services/data/index-volumes

Authentication: Not required

Description

Provides information about the volume (logical drives) in use by Splunk Enterprise.

The default update period is 10 minutes, as defined by the collectionPeriodInSecs attribute in the $SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf file.

At least one observation period must pass after Splunk Enterprise startup for valid endpoint data to be available. The observation period is defined in the $SPLUNK_HOME/etc/system/default/server.conf file:


[introspection:generator:disk_objects]
collectionPeriodInSecs = 600
Method summary
Method Description Formats
GET List the Splunk Enterprise volume(s). XML, JSON

GET data/index-volumes method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
max_size Maximum name volume size limit (MB):

infinite = No maximum specified.

name Volume name.
total_size Total name volume capacity (MB). If max_size is infinite, this field is not listed.

[ Top ]



data/index-volumes/{name}


https://<host>:<mPort>/services/data/index-volumes/{name}

Authentication: Not required

Description

Provides information about a particular volume (logical drive).

The default update period is 10 minutes, as defined by the collectionPeriodInSecs attribute in the $SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf file.

At least one observation period must pass after Splunk Enterprise startup for valid endpoint data to be available. The observation period is defined in the $SPLUNK_HOME/etc/system/default/server.conf file:


[introspection:generator:disk_objects]
collectionPeriodInSecs = 600
Method summary
Method Description Formats
GET List specified volume properties. XML, JSON

GET data/index-volumes/{name} method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
max_size Maximum name volume size limit (MB):

infinite = No maximum specified (i.e., 0, the default)

name Volume name.
total_size Total name volume capacity (MB). If max_size is infinite, this field is not listed.

[ Top ]



data/indexes


https://<host>:<mPort>/services/data/indexes

Authentication: Not required

Description

Provides services to create and manage data indexes.

Method summary
Method Description Formats
GET Lists the recognized indexes on the server. XML, JSON
POST Creates a new index with the given name. XML, JSON

GET data/indexes method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
assureUTF8 Indicates whether all data retreived from the index is proper UTF8. If enabled (set to True), degrades indexing performance.

This is a global setting, not a per index setting.

blockSignSize Controls how many events make up a block for block signatures.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

blockSignatureDatabase The index that stores block signatures of events.

This is a global setting, not a per index setting.

coldPath Filepath to the cold databases for the index.
coldPath_expanded Absoute filepath to the cold databases.
coldToFrozenDir Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk Enterprise automatically puts frozen buckets in this directory.

Bucket freezing policy is as follows:

  • New style buckets (4.2 and on): removes all files but the rawdata
To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory
  • Old style buckets (Pre-4.2): gzip all the .data and .tsidx files
To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.

coldToFrozenScript Path to the archiving script.

See the POST parameter description for details.

compressRawdata This value is ignored. splunkd process always compresses raw data.
currentDBSizeMB Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths.
defaultDatabase If no index destination information is available in the input data, the index shown here is the destination of such data.
disabled Indicates if the index is disabled.
enableRealtimeSearch Indicates if this is a real-time search.

This is a global setting, not a per index setting.

frozenTimePeriodInSecs Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

homePath An absolute path that contains the hot and warm buckets for the index.
homePath_expanded An absolute filepath to the hot and warm buckets for the index.
indexThreads Number of threads used for indexing.

This is a global setting, not a per index setting.

isInternal Indicates if this is an internal index (for example, _internal, _audit).
lastInitTime Last time the index processor was successfully initialized.

This is a global setting, not a per index setting.

maxConcurrentOptimizes The number of concurrent optimize processes that can run against a hot bucket.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

maxDataSize The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk Enterprise to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day.
  • "auto" sets the size to 750MB.
  • "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize is auto-tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

maxHotBuckets Maximum hot buckets that can exist per index. Defaults to 3.

When maxHotBuckets is exceeded, Splunk Enterprise rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

maxHotIdleSecs Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time).

If a hot bucket exceeds maxHotIdleSecs, Splunk Enterprise rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.

maxHotSpanSecs Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).

Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

maxMemMB The amount of memory, in MB, allocated for indexing.

This is a global setting, not a per index setting.

maxMetaEntries Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

maxRunningProcessGroups Maximum number of processes that the indexer fires off at a time.

This is a global setting, not a per index setting.

maxTime UNIX timestamp of the newest event time in the index.
maxTotalDataSizeMB The maximum size of an index, in MB.
maxWarmDBCount The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold.
memPoolMB Determines how much memory is given to the indexer memory pool.

This is a global setting, not a per-index setting.

minRawFileSyncSecs Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed

The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

minTime UNIX timestamp of the oldest event time in the index.
partialServiceMetaPeriod Related to serviceMetaPeriod. By default it is turned off (zero).

If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

quarantineFutureSecs Events with timestamp of quarantineFutureSecs newer than "now" that are dropped into quarantine bucket. Defaults to 2592000 (30 days).

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

quarantinePastSecs Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

rawChunkSizeBytes Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.

rotatePeriodInSecs Rotation period, in seconds, that specifies how frequently to check:
  • If a new hot bucket needs to be created.
  • If there are any cold buckets that should be frozen.
  • If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.
serviceMetaPeriod Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

summarize If true, leaves out certain index details, which provides a faster response.
suppressBannerList List of indexes for which we suppress "index missing" warning banner messages.

This is a global setting, not a per index setting.

sync Specifies the number of events that trigger the indexer to sync events.

This is a global setting, not a per index setting.

syncMeta When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.

Note: Do not change this parameter without the input of Splunk Support.

thawedPath An absolute path that contains the thawed (resurrected) databases for the index.
thawedPath_expanded Absolute filepath to the thawed (resurrected) databases.
throttleCheckPeriod Defines how frequently Splunk Enterprise checks for index throttling condition, in seconds. Defaults to 15 (seconds).

Note: Do not change this parameter without the input of Splunk Support.

totalEventCount Total number of events in the index.

POST data/indexes method detail

Example

Request parameters
Name Type Default Description
blockSignSize Number 0 Controls how many events make up a block for block signatures.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

bucketRebuildMemoryHint String auto Suggestion for the Splunk Enterprise bucket rebuild process for the size of the time-series (tsidx) file to make.

Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support.

Default value, auto, varies by the amount of physical RAM on the host

  • less than 2GB RAM = 67108864 (64MB) tsidx
  • 2GB to 8GB RAM = 134217728 (128MB) tsidx
  • more than 8GB RAM = 268435456 (256MB) tsidx

Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295

You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.

coldPath String An absolute path that contains the colddbs for the index. The path must be readable and writable. Cold databases are opened as needed when searching. May be defined in terms of a volume definition (see volume section below).

Required. Splunk Enterprise does not start if an index lacks a valid coldPath.

coldToFrozenDir String Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk Enterprise automatically puts frozen buckets in this directory.

Bucket freezing policy is as follows:

  • New style buckets (4.2 and on): removes all files but the rawdata
To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory
  • Old style buckets (Pre-4.2): gzip all the .data and .tsidx files
To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence

coldToFrozenScript String Path to the archiving script.

If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories.

Splunk Enterprise ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. Splunk DOES NOT recommend using this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade.

Splunk recommends copying the example script to a new file in bin and modifying it for your system. Most importantly, change the default archive path to an existing directory that fits your needs.

If your new script in bin/ is named myColdToFrozen.py, set this key to the following:

coldToFrozenScript = "$SPLUNK_HOME/bin/python" "$SPLUNK_HOME/bin/myColdToFrozen.py"

By default, the example script has two possible behaviors when archiving:

  • For buckets created from version 4.2 and on, it removes all files except for rawdata. To thaw: cd to the frozen bucket and type splunk rebuild ., then copy the bucket to thawed for that index. We recommend using the coldToFrozenDir parameter unless you need to perform a more advanced operation upon freezing buckets.
  • For older-style buckets, we simply gzip all the .tsidx files. To thaw: cd to the frozen bucket and unzip the tsidx files, then copy the bucket to thawed for that index
compressRawdata Boolean true This parameter is ignored. The splunkd process always compresses raw data.
enableOnlineBucketRepair Boolean true Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk.

When enabled, you do not have to wait until buckets are repaired to start Splunk. However, you might observe a slight performance degratation.

frozenTimePeriodInSecs Number 188697600 Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

homePath String An absolute path that contains the hot and warm buckets for the index.

Required. Splunk Enterprise does not start if an index lacks a valid homePath.

CAUTION: Path MUST be readable and writable.

maxBloomBackfillBucketAge Number 30d Valid values are: Integer[m|s|h|d]

If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters.

For example, if a bucket is older than specified with maxBloomBackfillBucketAge, and the rebuilding of its bloomfilter started but did not finish, do not rebuild it.

maxConcurrentOptimizes Number 6 The number of concurrent optimize processes that can run against a hot bucket.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

maxDataSize Number auto The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk Enterprise to autotune this parameter (recommended).Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.
  • "auto" sets the size to 750MB.
  • "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize is auto-tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

maxHotBuckets Number 3 Maximum hot buckets that can exist per index. Defaults to 3.

When maxHotBuckets is exceeded, Splunk Enterprise rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

maxHotIdleSecs Number 0 Maximum life, in seconds, of a hot bucket. Defaults to 0.

If a hot bucket exceeds maxHotIdleSecs, Splunk Enterprise rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).

maxHotSpanSecs Number 7776000 Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).

Note:I f you set this too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

maxMemMB Number 5 The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments.

IMPORTANT: Calculate this number carefully. Setting this number incorrectly may have adverse effects on your systems memory and/or splunkd stability/performance.

maxMetaEntries Number 1000000 Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

maxTimeUnreplicatedNoAcks Number 300 Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored.

If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies.

Highest legal value is 2147483647. To disable this parameter, set to 0.

Note: this is an advanced parameter. Understand the consequences before changing.

maxTimeUnreplicatedWithAcks Number 60 Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering).

Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza.

To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.

maxTotalDataSizeMB Number 500000 The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen.
maxWarmDBCount Number 300 The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times is moved to cold.
minRawFileSyncSecs Number disable Specify an integer (or "disable") for this parameter.

This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

Note: Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed

minStreamGroupQueueSize Number 2000 Minimum size of the queue that stores events in memory before committing them to a tsidx file.

Caution: Do not set this value, except under advice from Splunk Support.

name
required
String The name of the index to create.
partialServiceMetaPeriod Number 0 Related to serviceMetaPeriod. If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

By default it is turned off (zero).

processTrackerServiceInterval Number 1 Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15.

If set to 0, the indexer checks child process status every second.

Highest legal value is 4294967295.

quarantineFutureSecs Number 2592000 Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days).

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

quarantinePastSecs Number 77760000 Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

rawChunkSizeBytes Number 131072 Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

WARNING: This is an advanced parameter. Only change it if you are instructed to do so by Splunk Support.

repFactor String 0 Index replication control. This parameter applies to only Splunk Enterprise clustering slaves.

auto = Use the master index replication configuration value.

0 = Turn off replication for this index.

rotatePeriodInSecs Number 60 How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen.
serviceMetaPeriod Number 25 Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

syncMeta Boolean true When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.

Note: Do not change this parameter without the input of a Splunk Support.

thawedPath String An absolute path that contains the thawed (resurrected) databases for the index.

Cannot be defined in terms of a volume definition.

Required. Splunk Enterprise does not start if an index lacks a valid thawedPath</codePath>.


throttleCheckPeriod Number 15 Defines how frequently Splunk Enterprise checks for index throttling condition, in seconds. Defaults to 15 (seconds).

Note: Do not change this parameter without the input of Splunk Support.

tstatsHomePath String Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter.

If specified, it must be defined in terms of a volume definition.

Caution: Path must be writable.

Default value: volume:_splunk_summaries/$_index_name/tstats

warmToColdScript String Path to a script to run when moving data from warm to cold.

This attribute is supported for backwards compatibility with Splunk Enterprise versions older than 4.0. Contact Splunk support if you need help configuring this setting.

Caution: Migrating data across filesystems is now handled natively by splunkd. If you specify a script here, the script becomes responsible for moving the event data, and Splunk-native data migration is not used.

Response data keys
Name Description
assureUTF8 Boolean value indicating wheter all data retreived from the index is proper UTF8.

If enabled (set to True), degrades indexing performance

Can only be set globally.

blockSignSize Controls how many events make up a block for block signatures.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

blockSignatureDatabase The index that stores block signatures of events.

This is a global setting, not a per index setting.

bucketRebuildMemoryHint Suggestion for the Splunk Enterprise bucket rebuild process for the size of the time-series (tsidx) file to make.
coldPath Filepath to the cold databases for the index.
coldPath_expanded Absoute filepath to the cold databases.
coldToFrozenDir Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk Enterprise automatically puts frozen buckets in this directory.

Bucket freezing policy is as follows:

  • New style buckets (4.2 and on): removes all files but the rawdata
To thaw, run <code>splunk rebuild <bucket dir> on the bucket, then move to the thawed directory
  • Old style buckets (Pre-4.2): gzip all the .data and .tsidx files
To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.

coldToFrozenScript Path to the archiving script.

See the POST parameter description for details.

compressRawdata This value is ignored. splunkd process always compresses raw data.
currentDBSizeMB Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths.
defaultDatabase If no index destination information is available in the input data, the index shown here is the destination of such data.
enableOnlineBucketRepair Indicates whether to run asynchronous "online fsck" bucket repair, which runs in a process concurrently with Splunk.
enableRealtimeSearch Indicates if this is a real-time search.

This is a global setting, not a per index setting.

frozenTimePeriodInSecs Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

homePath An absolute path that contains the hot and warm buckets for the index.
homePath_expanded An absolute filepath to the hot and warm buckets for the index.
indexThreads Number of threads used for indexing.

This is a global setting, not a per index setting.

isInternal Indicates if this is an internal index (for example, _internal, _audit).
lastInitTime Last time the index processor was successfully initialized.

This is a global setting, not a per index setting.

maxBloomBackfillBucketAge If a bucket (warm or cold) is older than this, Splunk Enterprise does not create (or re-create) its bloom filter.
maxConcurrentOptimizes The number of concurrent optimize processes that can run against a hot bucket.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

maxDataSize The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk Enterprise to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day.
  • "auto" sets the size to 750MB.
  • "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize is auto-tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

maxHotBuckets Maximum hot buckets that can exist per index. Defaults to 3.

When maxHotBuckets is exceeded, Splunk Enterprise rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

maxHotIdleSecs Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time).

If a hot bucket exceeds maxHotIdleSecs, Splunk Enterprise rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.

maxHotSpanSecs Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).

Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

maxMemMB The amount of memory, in MB, allocated for indexing.

This is a global setting, not a per index setting.

maxMetaEntries Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

maxTime UNIX timestamp of the newest event time in the index.
maxTimeUnreplicatedNoAcks Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored.

If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies.

Highest legal value is 2147483647. To disable this parameter, set to 0.

Note: this is an advanced parameter. Understand the consequences before changing.

maxTimeUnreplicatedWithAcks Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering).

Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza.

To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.

maxTotalDataSizeMB The maximum size of an index, in MB.
maxWarmDBCount The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold.
memPoolMB Determines how much memory is given to the indexer memory pool.

This is a global setting, not a per-index setting.

minRawFileSyncSecs Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed

The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

minStreamGroupQueueSize Minimum size of the queue that stores events in memory before committing them to a tsidx file.
minTime UNIX timestamp of the oldest event time in the index.
partialServiceMetaPeriod Related to serviceMetaPeriod. By default it is turned off (zero).

If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

processTrackerServiceInterval How often, in seconds, the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests.
quarantineFutureSecs Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days).

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

quarantinePastSecs Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

rawChunkSizeBytes Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.

repFactor Index replication control. This parameter applies to only Splunk Enterprise clustering slaves.

auto = Use the master index replication configuration value.

0 = Turn off replication for this index.

rotatePeriodInSecs Rotation period, in seconds, that specifies how frequently to check:
  • If a new hot bucket needs to be created.
  • If there are any cold buckets that should be frozen.
  • If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.
serviceMetaPeriod Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

suppressBannerList List of indexes for which we suppress "index missing" warning banner messages.

This is a global setting, not a per index setting.

sync Specifies the number of events that trigger the indexer to sync events.

This is a global setting, not a per index setting.

syncMeta When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.

Note: Do not change this parameter without the input of Splunk Support.

thawedPath Filepath to the thawed (resurrected) databases for the index.
thawedPath_expanded Absolute filepath to the thawed (resurrected) databases.
throttleCheckPeriod Defines how frequently Splunk Enterprise checks for index throttling condition, in seconds. Defaults to 15 (seconds).

Note: Do not change this parameter without the input of Splunk Support.

totalEventCount Total number of events in the index.
tstatsHomePath Location where datamodel acceleration TSIDX data for this index is stored.
warmToColdScript Script to run when moving data from warm to cold. See input parameter description for details.

[ Top ]



data/indexes/{name}


https://<host>:<mPort>/services/data/indexes/{name}

Authentication: Not required

Description

Manage {name} index.

Method summary
Method Description Formats
DELETE Removes the index specified by {name} (not just the data contained in it). XML, JSON
GET Retrieves information about the named index. XML, JSON
POST Updates the data index specified by {name} with information specified with index attributes. XML, JSON

DELETE data/indexes/{name} method detail

Example

Request parameters

None

Response data keys

None

Application usage

Before executing this operation, look through all inputs.conf files (on your indexer and on any forwarders sending data to the indexer) and make sure that none of the stanzas are directing data to the index you plan to delete.

In other words, if you want to delete an index called "nogood," make sure the attribute/value pair index=nogood does not appear in any input stanzas. Once the index is deleted, Splunk Enterprise discards any data sent to that index.

For information on deleting indexes and deleting data from indexes, refer to Remove data from Splunk Enterprise in the Splunk Managing Indexers and Clusters manual.

The method returns HTTP status code = 409, if {name} was disabled but Splunk Enterprise was not restarted. Restart Splunk Enterprise and try again.


GET data/indexes/{name} method detail

Example

Request parameters
Name Type Default Description
summarize Boolean false [Optional] Response type:

true = Summarized response, omitting some index details, providing a faster response.
false = full response.

Response data keys
Name Description
assureUTF8 Indicates whether all data retreived from the index is proper UTF8. If enabled (set to True), degrades indexing performance.

This is a global setting, not a per index setting.

blockSignSize Controls how many events make up a block for block signatures.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

blockSignatureDatabase The index that stores block signatures of events.

This is a global setting, not a per index setting.

bloomfilterTotalSizeKB Total size of all bloom filter files, in KB.
coldPath Filepath to the cold databases for the index.
coldPath_expanded Absoute filepath to the cold databases.
coldToFrozenDir Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk Enterprise automatically puts frozen buckets in this directory.

Bucket freezing policy is as follows:

  • New style buckets (4.2 and on): removes all files but the rawdata
To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory
  • Old style buckets (Pre-4.2): gzip all the .data and .tsidx files
To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.

coldToFrozenScript Path to the archiving script.

See the POST parameter description for details.

compressRawdata This value is ignored. splunkd process always compresses raw data.
currentDBSizeMB Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths.
defaultDatabase If no index destination information is available in the input data, the index shown here is the destination of such data.
disabled Indicates if the index is disabled.
enableRealtimeSearch Indicates if this is a real-time search.

This is a global setting, not a per index setting.

frozenTimePeriodInSecs Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

homePath An absolute path that contains the hot and warm buckets for the index.
homePath_expanded An absolute filepath to the hot and warm buckets for the index.
indexThreads Number of threads used for indexing.

This is a global setting, not a per index setting.

isInternal Indicates if this is an internal index (for example, _internal, _audit).
lastInitTime Last time the index processor was successfully initialized.

This is a global setting, not a per index setting.

maxConcurrentOptimizes The number of concurrent optimize processes that can run against a hot bucket.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

maxDataSize The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk Enterprise to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day.
  • "auto" sets the size to 750MB.
  • "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize is auto-tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

maxHotBuckets Maximum hot buckets that can exist per index. Defaults to 3.

When maxHotBuckets is exceeded, Splunk Enterprise rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

maxHotIdleSecs Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time).

If a hot bucket exceeds maxHotIdleSecs, Splunk Enterprise rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.

maxHotSpanSecs Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).

Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

maxMemMB The amount of memory, in MB, allocated for indexing.

This is a global setting, not a per index setting.

maxMetaEntries Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

maxRunningProcessGroups Maximum number of processes that the indexer fires off at a time.

This is a global setting, not a per index setting.

maxTime UNIX timestamp of the newest event time in the index.
maxTotalDataSizeMB The maximum size of an index, in MB.
maxWarmDBCount Maximum number of warm buckets.
memPoolMB Determines how much memory is given to the indexer memory pool.

This is a global setting, not a per-index setting.

minRawFileSyncSecs Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed

The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

minTime UNIX timestamp of the oldest event time in the index.
numBloomfilters The number of bloom filters created for this index.
numHotBuckets The number of hot buckets created for this index.
numWarmBuckets The number of warm buckets created for this index.
partialServiceMetaPeriod Related to serviceMetaPeriod. By default it is turned off (zero).

If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

quarantineFutureSecs Events with timestamp of quarantineFutureSecs newer than "now" that are dropped into quarantine bucket. Defaults to 2592000 (30 days).

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

quarantinePastSecs Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

rawChunkSizeBytes Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.

rotatePeriodInSecs Rotation period, in seconds, that specifies how frequently to check:
  • If a new hot bucket needs to be created.
  • If there are any cold buckets that should be frozen.
  • If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.
serviceMetaPeriod Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

summarize If true, leaves out certain index details, which provides a faster response.
suppressBannerList List of indexes for which we suppress "index missing" warning banner messages.

This is a global setting, not a per index setting.

sync Specifies the number of events that trigger the indexer to sync events.

This is a global setting, not a per index setting.

syncMeta When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.

Note: Do not change this parameter without the input of Splunk Support.

thawedPath An absolute path that contains the thawed (resurrected) databases for the index.
thawedPath_expanded Absolute filepath to the thawed (resurrected) databases.
throttleCheckPeriod Defines how frequently Splunk Enterprise checks for index throttling condition, in seconds. Defaults to 15 (seconds).

Note: Do not change this parameter without the input of Splunk Support.

totalEventCount Total number of events in the index.

POST data/indexes/{name} method detail

Example

Request parameters
Name Type Default Description
blockSignSize Number 0 Controls how many events make up a block for block signatures.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

bucketRebuildMemoryHint String auto Suggestion for the Splunk Enterprise bucket rebuild process for the size of the time-series (tsidx) file to make.

Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support.

Default value, auto, varies by the amount of physical RAM on the host

  • less than 2GB RAM = 67108864 (64MB) tsidx
  • 2GB to 8GB RAM = 134217728 (128MB) tsidx
  • more than 8GB RAM = 268435456 (256MB) tsidx

Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295

You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.

coldToFrozenDir String Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk Enterprise automatically puts frozen buckets in this directory.

Bucket freezing policy is as follows:

  • New style buckets (4.2 and on): removes all files but the rawdata
To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory
  • Old style buckets (Pre-4.2): gzip all the .data and .tsidx files
To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence

coldToFrozenScript String Path to the archiving script.

If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories.

Splunk Enterprise ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. Splunk DOES NOT recommend using this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade.

Splunk recommends copying the example script to a new file in bin and modifying it for your system. Most importantly, change the default archive path to an existing directory that fits your needs.

If your new script in bin/ is named myColdToFrozen.py, set this key to the following:

coldToFrozenScript = "$SPLUNK_HOME/bin/python" "$SPLUNK_HOME/bin/myColdToFrozen.py"

By default, the example script has two possible behaviors when archiving:

  • For buckets created from version 4.2 and on, it removes all files except for rawdata. To thaw: cd to the frozen bucket and type splunk rebuild ., then copy the bucket to thawed for that index. We recommend using the coldToFrozenDir parameter unless you need to perform a more advanced operation upon freezing buckets.
  • For older-style buckets, we simply gzip all the .tsidx files. To thaw: cd to the frozen bucket and unzip the tsidx files, then copy the bucket to thawed for that index
compressRawdata Boolean true This parameter is ignored. The splunkd process always compresses raw data.
enableOnlineBucketRepair Boolean true Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk.

When enabled, you do not have to wait until buckets are repaired to start Splunk. However, you might observe a slight performance degratation.

frozenTimePeriodInSecs Number 188697600 Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

maxBloomBackfillBucketAge Number 30d Valid values are: Integer[m|s|h|d]

If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters.

For example, if a bucket is older than specified with maxBloomBackfillBucketAge, and the rebuilding of its bloomfilter started but did not finish, do not rebuild it.

maxConcurrentOptimizes Number 6 The number of concurrent optimize processes that can run against a hot bucket.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

maxDataSize Number auto The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk Enterprise to autotune this parameter (recommended).Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.
  • "auto" sets the size to 750MB.
  • "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize is auto-tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

maxHotBuckets Number 3 Maximum hot buckets that can exist per index. Defaults to 3.

When maxHotBuckets is exceeded, Splunk Enterprise rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

maxHotIdleSecs Number 0 Maximum life, in seconds, of a hot bucket. Defaults to 0.

If a hot bucket exceeds maxHotIdleSecs, Splunk Enterprise rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).

maxHotSpanSecs Number 7776000 Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).

Note:I f you set this too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

maxMemMB Number 5 The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments.

IMPORTANT: Calculate this number carefully. Setting this number incorrectly may have adverse effects on your systems memory and/or splunkd stability/performance.

maxMetaEntries Number 1000000 Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

maxTimeUnreplicatedNoAcks Number 300 Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored.

If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies.

Highest legal value is 2147483647. To disable this parameter, set to 0.

Note: this is an advanced parameter. Understand the consequences before changing.

maxTimeUnreplicatedWithAcks Number 60 Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering).

Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza.

To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.

maxTotalDataSizeMB Number 500000 The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen.
maxWarmDBCount Number 300 The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold.
minRawFileSyncSecs Number disable Specify an integer (or "disable") for this parameter.

This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

Note: Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed

minStreamGroupQueueSize Number 2000 Minimum size of the queue that stores events in memory before committing them to a tsidx file.

Caution: Do not set this value, except under advice from Splunk Support.

partialServiceMetaPeriod Number 0 Related to serviceMetaPeriod. If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

By default it is turned off (zero).

processTrackerServiceInterval Number 1 Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15.

If set to 0, the indexer checks child process status every second.

Highest legal value is 4294967295.

quarantineFutureSecs Number 2592000 Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days).

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

quarantinePastSecs Number 77760000 Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

rawChunkSizeBytes Number 131072 Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

WARNING: This is an advanced parameter. Only change it if you are instructed to do so by Splunk Support.

repFactor String 0 Index replication control. This parameter applies to only Splunk Enterprise clustering slaves.

auto = Use the master index replication configuration value.

0 = Turn off replication for this index.

rotatePeriodInSecs Number 60 How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen.
serviceMetaPeriod Number 25 Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

syncMeta Boolean true When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.

Note: Do not change this parameter without the input of a Splunk Support.

throttleCheckPeriod Number 15 Defines how frequently Splunk Enterprise checks for index throttling condition, in seconds. Defaults to 15 (seconds).

Note: Do not change this parameter without the input of Splunk Support.

tstatsHomePath String Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter.

If specified, it must be defined in terms of a volume definition.

Caution: Path must be writable.

Default value: volume:_splunk_summaries/$_index_name/tstats

warmToColdScript String Path to a script to run when moving data from warm to cold.

This attribute is supported for backwards compatibility with Splunk Enterprise versions older than 4.0. Contact Splunk support if you need help configuring this setting.

Caution: Migrating data across filesystems is now handled natively by splunkd. If you specify a script here, the script becomes responsible for moving the event data, and Splunk-native data migration are not used.

Response data keys
Name Description
assureUTF8 Boolean value indicating wheter all data retreived from the index is proper UTF8.

If enabled (set to True), degrades indexing performance

Can only be set globally.

blockSignSize Controls how many events make up a block for block signatures.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

blockSignatureDatabase The index that stores block signatures of events.

This is a global setting, not a per index setting.

bucketRebuildMemoryHint Suggestion for the Splunk Enterprise bucket rebuild process for the size of the time-series (tsidx) file to make.
coldPath Filepath to the cold databases for the index.
coldPath_expanded Absoute filepath to the cold databases.
coldToFrozenDir Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk Enterprise automatically puts frozen buckets in this directory.

Bucket freezing policy is as follows:

  • New style buckets (4.2 and on): removes all files but the rawdata
To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory
  • Old style buckets (Pre-4.2): gzip all the .data and .tsidx files
To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.

coldToFrozenScript Path to the archiving script.

See the POST parameter description for details.

compressRawdata This value is ignored. splunkd process always compresses raw data.
currentDBSizeMB Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths.
defaultDatabase If no index destination information is available in the input data, the index shown here is the destination of such data.
enableOnlineBucketRepair Indicates whether to run asynchronous "online fsck" bucket repair, which runs in a process concurrently with Splunk.
enableRealtimeSearch Indicates if this is a real-time search.

This is a global setting, not a per index setting.

frozenTimePeriodInSecs Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

homePath An absolute path that contains the hot and warm buckets for the index.
homePath_expanded An absolute filepath to the hot and warm buckets for the index.
indexThreads Number of threads used for indexing.

This is a global setting, not a per index setting.

isInternal Indicates if this is an internal index (for example, _internal, _audit).
lastInitTime Last time the index processor was successfully initialized.

This is a global setting, not a per index setting.

maxBloomBackfillBucketAge If a bucket (warm or cold) is older than this, Splunk Enterprise does not create (or re-create) its bloom filter.
maxConcurrentOptimizes The number of concurrent optimize processes that can run against a hot bucket.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

maxDataSize The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk Enterprise to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day.
  • "auto" sets the size to 750MB.
  • "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize is auto-tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

maxHotBuckets Maximum hot buckets that can exist per index. Defaults to 3.

When maxHotBuckets is exceeded, Splunk Enterprise rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

maxHotIdleSecs Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time).

If a hot bucket exceeds maxHotIdleSecs, Splunk Enterprise rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.

maxHotSpanSecs Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).

Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

maxMemMB The amount of memory, in MB, allocated for indexing.

This is a global setting, not a per index setting.

maxMetaEntries Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

maxTime UNIX timestamp of the newest event time in the index.
maxTimeUnreplicatedNoAcks Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored.

If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies.

Highest legal value is 2147483647. To disable this parameter, set to 0.

Note: this is an advanced parameter. Understand the consequences before changing.

maxTimeUnreplicatedWithAcks Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering).

Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza.

To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.

maxTotalDataSizeMB The maximum size of an index, in MB.
maxWarmDBCount The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold.
memPoolMB Determines how much memory is given to the indexer memory pool.

This is a global setting, not a per-index setting.

minRawFileSyncSecs Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed

The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

minStreamGroupQueueSize Minimum size of the queue that stores events in memory before committing them to a tsidx file.
minTime UNIX timestamp of the oldest event time in the index.
partialServiceMetaPeriod Related to serviceMetaPeriod. By default it is turned off (zero).

If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

processTrackerServiceInterval How often, in seconds, the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests.
quarantineFutureSecs Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days).

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

quarantinePastSecs Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

rawChunkSizeBytes Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.

repFactor Index replication control. This parameter applies to only Splunk Enterprise clustering slaves.

auto = Use the master index replication configuration value.

0 = Turn off replication for this index.

rotatePeriodInSecs Rotation period, in seconds, that specifies how frequently to check:
  • If a new hot bucket needs to be created.
  • If there are any cold buckets that should be frozen.
  • If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.
serviceMetaPeriod Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

suppressBannerList List of indexes for which we suppress "index missing" warning banner messages.

This is a global setting, not a per index setting.

sync Specifies the number of events that trigger the indexer to sync events.

This is a global setting, not a per index setting.

syncMeta When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.

Note: Do not change this parameter without the input of Splunk Support.

thawedPath Filepath to the thawed (resurrected) databases for the index.
thawedPath_expanded Absolute filepath to the thawed (resurrected) databases.
throttleCheckPeriod Defines how frequently Splunk Enterprise checks for index throttling condition, in seconds. Defaults to 15 (seconds).

Note: Do not change this parameter without the input of Splunk Support.

totalEventCount Total number of events in the index.
tstatsHomePath Location where datamodel acceleration TSIDX data for this index is stored.
warmToColdScript Script to run when moving data from warm to cold. See input parameter description for details.

[ Top ]



data/indexes-extended


https://<host>:<mPort>/services/data/indexes-extended

Authentication: Not required

Description

Provide Splunk Enterprise index bucket-level information. There are three bucket super-directories per index:

The default update period is 10 minutes, as defined by the collectionPeriodInSecs attribute in the $SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf file.

Note: At least one observation period must pass after Splunk Enterprise startup for valid endpoint data to be available. The observation period is defined in the $SPLUNK_HOME/etc/system/default/server.conf file:


[introspection:generator:disk_objects]
collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.

Method summary
Method Description Formats
GET List bucket attributes for all indices. XML, JSON

GET data/indexes-extended method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
bucket_dirs (If total_size > 0) List the following attributes for each index bucket super-directory (home, cold, thawed) as indicated:
AttributeDescriptionhomecoldthawed
bucket_countNumber of buckets.XX
event_count(If size > 0) Number of events in this bucket super-directory.XXX
event_max_time(If size > 0) Highest time value (Unix epoch seconds) of all events in this bucket super-directory, commonly called latest time.XXX
event_min_time(If size > 0) Lowest time value (Unix epoch seconds) of all events in this bucket super-directory, commonly called earliest time.XXX
hot_bucket_count(If size > 0) Number of hot buckets.X
sizeSize (fractional MB) on disk of this bucket super-directory.XXX
warm_bucket_count(If size > 0) Number of warm buckets.X
name Index name.
total_bucket_count (If total_size > 0) Number of index buckets.
total_event_count (If total_size > 0) Number of events for index, excluding frozen events. Approximately equal to the event_count sum of all buckets.
total_raw_size (If total_size > 0) Cumulative size (fractional MB) on disk of the <bucket>/rawdata/ directories of all buckets in this index, excluding frozen.
total_size Size (fractional MB) on disk of this index.

[ Top ]



data/indexes-extended/{name}


https://<host>:<mPort>/services/data/indexes-extended/{name}

Authentication: Not required

Description

Provide bucket-level information for the specified index. There are three bucket super-directories per index:

The default update period is 10 minutes, as defined by the collectionPeriodInSecs attribute in the $SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf file.

Note: At least one observation period must pass after Splunk Enterprise startup for valid endpoint data to be available. The observation period is defined in the $SPLUNK_HOME/etc/system/default/server.conf file:


[introspection:generator:disk_objects]
collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.

Method summary
Method Description Formats
GET List bucket attributes for the specified index. XML, JSON

GET data/indexes-extended/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
bucket_dirs (If total_size > 0) List the following attributes for each index bucket super-directory (home, cold, thawed) as indicated:
AttributeDescriptionhomecoldthawed
bucket_countNumber of buckets.XX
event_count(If size > 0) Number of events in this bucket super-directory.XXX
event_max_time(If size > 0) Highest time value (Unix epoc seconds) of all events in this bucket super-directory, commonly called latest time.XXX
event_min_time(If size > 0) Lowest time value (Unix epoc seconds) of all events in this bucket super-directory, commonly called earliest time.XXX
hot_bucket_count(If size > 0) Number of hot buckets.X
sizeSize (fractional MB) on disk of this bucket super-directory.XXX
warm_bucket_count(If size > 0) Number of warm buckets.X
name Index name.
total_bucket_count (If total_size > 0) Number of index buckets.
total_event_count (If total_size > 0) Number of events for index, excluding frozen events. Approximately equal to the event_count sum of all buckets.
total_raw_size (If total_size > 0) Cumulative size (fractional MB) on disk of the <bucket>/rawdata/ directories of all buckets in this index, excluding frozen.
total_size Size (fractional MB) on disk of this index.

[ Top ]

server/info


https://<host>:<mPort>/services/server/info

Authentication: Not required

Description

Provides access to configuration information about the server.

Method summary
Method Description Formats
GET Enumerate information about the server. XML, JSON

GET server/info method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
activeLicenseGroup Type of Splunk Enterprise license:
Enterprise
Forwarder
Free
Invalid
Trial
addOns Names of active Splunk Enterprise add-ons.
build The build number for this version of Splunk.
cpu_arch The architecture type for the CPU hosting splunkd.
guid Globally unique identifier for this server.
host Server name.
host_fqdn host fully-qualified domain name.
isFree Indicates if this server is running Splunk Enterprise under a free license.
isTrial Indicates if this server is using a trial license.
kv_store_status App KV store availability.
license_labels Labels associated with the license for this server.
licenseKeys License key unique for each license.
licenseSignature Hash signature for the license for this server.
licenseState Specifies the status of the license, which can be either OK or Expired.
master_guid Globally unique identifier for this server.
max_users Maximum number of users.
mode Indicates whether the server is a dedicated forwarder. Possible values are:
normal
dedicated forwarder
numberOfCores Server number of processor cores. Not useful if host is a VM guest. 0 if the respective result cannot be acquired for some reason. That reason is logged to splunkd.log.
os_build Software build for this os_version.
os_name Operating system.
os_version Operating system version.
physicalMemoryMB Server physical memory (MB). Same as mem field of server/status/resource-usage/hostwide. 0 if the respective result cannot be acquired for some reason. That reason is logged to splunkd.log.
product_type Splunk Enterprise product type:
enterprise
hunk
lite
lite_free
splunk
rtsearch_enabled Indicates if real-time search is enabled for this server.
server_roles Zero or more of the following possible server roles:
indexer
universal_forwarder
heavyweight_forwarder
lightweight_forwarder
license_master
license_slave
cluster_master
cluster_slave
cluster_search_head
deployment_server
deployment_client
search_head
search_peer

See also: server/roles endpoint.

serverName Server DNS domain name.
startup_time Server platform start time, in seconds since January 1, 1970 (UNIX epoch).
version os_build software version number.

[ Top ]



server/introspection


https://<host>:<mPort>/services/server/introspection

Authentication: Not required

Description

List system introspection artifacts.

Only the indexer artifact is a supported REST API endpoint.

See also
Method summary
Method Description Formats
GET List introspection resources. XML, JSON

GET server/introspection method detail

Example

Request parameters

None

Response data keys

None

The endpoint returns a list of introspection artifacts.

[ Top ]



server/introspection/indexer


https://<host>:<mPort>/services/server/introspection/indexer

Authentication: Not required

Description

Get the current indexer status and reason for a non-nominal status.

See also

server/introspection

Method summary
Method Description Formats
GET Get indexer information. XML, JSON

GET server/introspection/indexer method detail

Example

Request parameters

None

Response data keys
Name Description
average_KBps Average indexer throughput (kbps).
reason Reason message associated with a non-normal status:
  • "idx=<indexerName> Throttling indexer, too many tsidx files in bucket=<bucketName>. Is splunk-optimize working? If not, low disk space may be the cause."
  • "You are low in disk space on partition <partitionName>. Indexing is paused. Will resume when free disk space rises above <minFreeMB>."
A period (.) is returned for reason, for a normal status.
status Current indexer status:
  • normal
  • throttled
  • stopped

[ Top ]



server/introspection/kvstore


https://<host>:<mPort>/services/server/introspection/kvstore

Authentication: Not required

Description

List app kvstore resources.

See also

server/introspection

Method summary
Method Description Formats
GET List app KV store resources. XML, JSON

GET server/introspection/kvstore method detail

Example

Request parameters

None

Response data keys

None.

Returns links to each of the app /server/introspection/kvstore resources:

[ Top ]



server/introspection/kvstore/collectionstats


https://<host>:<mPort>/services/server/introspection/kvstore/collectionstats

Authentication: Not required

Description

Get storage statistics for a collection.

See also
Method summary
Method Description Formats
GET Get storage statistics for a collection. XML, JSON

GET server/introspection/kvstore/collectionstats method detail

Example

Request parameters

None

Response data keys
Name Description
data Returns the following JSON document:
  • count - Number of collection documents or objects.
  • indexSizes - Key and size of every index on the collection.
  • lastExtentSize - Size of last allocated extent.
  • nindexes - Number of indexes on the collection.
  • ns - Current collection namespace.
  • numExtents - Number of contiguously allocated data file regions.
  • paddingFactor - Amount of space added to each document.
  • size - Collection records total size.
  • storageSize - Collection document storage allocation.
  • systemFlags - Collection flags that reflect internal server options.
  • totalIndexSize - Size of all indexes.
  • userFlags - Collection flags set by user.

[ Top ]



server/introspection/kvstore/replicasetstats


https://<host>:<mPort>/services/server/introspection/kvstore/replicasetstats

Authentication: Not required

Description

Get the status of the replica set from the point of view of the current server.

See also
Method summary
Method Description Formats
GET Get the status of the replica set from the point of view of the current server. XML, JSON

GET server/introspection/kvstore/replicasetstats method detail

Example

Request parameters

None

Response data keys
Name Description
data Returns the following JSON document:
  • set - Replicate Set Name set in the server.conf file.
  • date - Current time in ISO format.
  • myState - Startup process, basic operations, and potential error states:
    • 0 STARTUP Initial member state. Cannot vote.
    • 1 PRIMARY Only member that can accept write operations. Can vote.
    • 2 SECONDARY Data store replication member. Can vote.
    • 3 RECOVERING Members perform startup self-checks, or transition from completing a rollback or resync. Can vote.
    • 4 FATAL Unrecoverable error encountered. Cannot vote.
    • 5 STARTUP2 Forks replication and election threads before becoming a secondary. Cannot vote.
    • 6 UNKNOWN Never connected to replica set. Cannot vote.
    • 7 ARBITER Participate in elections, do not replicate data. Can vote.
    • 8 DOWN Cannot be accessed by the set. Cannot vote.
    • 9 ROLLBACK Performs rollback. Can vote.
    • 10 REMOVED Removed from the replica set. Cannot vote.
  • members - Descriptions of members of replica set:
    • _id - Member ID.
    • name - Server name.
    • health - Status: 1 = up, 0 = down.
    • state - Replica state (See MyState).
    • stateStr - String representation of state.
    • uptime - Online interval (seconds).
    • optime - Information about last operations log operation.
      • t - 32-bit timestamp of last operation.
      • i - Number of operations since the last timestamp.
    • optimeDate - Time of last operations log operation in ISO format.
    • lastHeartbeat - Transmission time of last heartbeat in ISO format.
    • lastHeartbeatRecv - Time last heartbeat received in ISO format.
    • pingMs - Round-trip packet time (msec).
    • syncingTo - On secondary and recovering members, hostname of member from which this instance is syncing.
  • ok - Command return status: 1 = Success, 0 = Failure.
  • oplogInfo - Operations log information:
    • start - Start time.
    • end - End time.
    • collectionStats - Collection storage statistics:
      • ns - Current collection namespace.
      • count - Number of collection documents or objects.
      • size - Collection records total size.
      • avgObjSize - Average object size in collection (bytes).
      • storageSize - Collection document storage allocation.
      • numExtents - Number of contiguously allocated data file regions.
      • nindexes - Number of indexes on the collection.
      • lastExtentSize - Size of last allocated extent.
      • paddingFactor - Amount of space added to each document.
      • systemFlags - Collection flags that reflect internal server options.
      • userFlags - Collection flags set by user.
      • totalIndexSize - Size of all indexes.
      • indexSizes - Key and size of every index on the collection.
      • capped - Capped setting: true = capped, false = not capped.
      • max - Max collection size.
      • ok - Command return status: 1 = Success, 0 = Failure.
    • sources - Operations log sources.

[ Top ]



server/introspection/kvstore/serverstatus


https://<host>:<mPort>/services/server/introspection/kvstore/serverstatus

Authentication: Not required

Description

Get an overview of the database process state.

Monitoring applications periodically run this command to get statistical information about the database instance.

See also
Method summary
Method Description Formats
GET Get an overview of the database process state. XML, JSON

GET server/introspection/kvstore/serverstatus method detail

Example

Request parameters

None

Response data keys

The response data are platform-dependent.

Name Description
data Returns the following CDATA items:
  • asserts - Number of database assertions since the server process started, for each of the following levels/types:
    • regular
    • warning
    • msg
    • user
    • rollovers
  • backgroundFlushing - Write to disk flush metrics:
    • flushes - Number of times writes flushed.
    • total_ms - Number of msec processes used to flush writes.
    • average_ms - Relationship between flushes and total_ms, in msec.
    • last_ms - Number of msec the last flush took.
    • last_finished (date) - ISO time of last completed write flush operation.
  • connections - Current incoming connections status and database availability:
    • current - Number of active client connections.
    • available - Number of unused connections available.
    • totalCreated - Total number of connections created, including closed connections.
  • cursors - [DEPRECATED] Current cursor and state. Use metrics, instead.
  • dur - (Durability) Journaling-related operations and performance. Journaling must be enabled.:
    • commits - Number of transactions written to the journal during the last group commit interval.
    • journaledMB - Amount of data (MB) written to the journal during the last group commit interval.
    • writeToDataFilesMB - Amount of data (MB) written from journal to data files during the last group commit interval.
    • compression - Compression ratio of data written to journal: (journaled_size_of_data / uncompressed_size_of_data)
    • commitsInWriteLock - Number of commits that occurred during a write lock.
    • earlyCommits - Number of commits requested before scheduled group commit time.
    • timeMs: Performance during various journaling phases.
      • dt - Data collection interval (msec).
      • prepLogBuffer - Time spend preparing to write to journal (msec).
      • writeToJournal - Time spent writing to journal (msec).
      • writeToDataFiles - Time spent writing to data files after journaling (msec).
      • remapPrivateView - Time spent remapping copy-on-write memory mapped views (msec).
  • extra_info - Platform-specific information:
    • note - Platform-specific information.
    • heap_usage_bytes - Total heap space size used by database (bytes). Applicable to *nix systems, only.
    • page_faults - Total number of page faults that require disk operations.
  • globalLock - Information about the current database lock state, historical lock status, and active clients:
    • totalTime - Time since database started and globalLock creation (usec).
    • lockTime - Time since database started that globalLock has been held (usec).
    • currentQueue: Information about operations queued because of a lock.
      • total - Total number of operations queued waiting on readers and writers locks.
      • readers - Number of operations queued waiting for read lock.
      • writers - Number of operations queued waiting for write lock.
    • activeClients: Information about number and operation types of connected clients.
      • total - Total number of readers and writers connections.
      • readers - Number of connected clients performing read operations.
      • writers - Number of connected clients performing write operations.
  • host - Hostname and port number.
  • indexCounters - Index usage counters:
    • accesses - Number of times operations accessed indexes.
    • hits - Number of times index accessed and returned from memory.
    • misses - Number of attempts to access index not in memory.
    • resets - Number of times index counters reset since database last started.
    • missRatio - Ratio of hits to misses.
  • localTime - ISO-formatted local time.
  • locks - State and read/write use of global and database-specific locks:
    • timeLockedMicros - Amount of time a lock existed, for all databases of this server instance (usec).
    • timeAcquiringMicros - Amount of time operations spend waiting, for lock for all databases of this server instance (usec).
    • admin: Lock use in the admin database.
      • timeLockedMicros - Amount of time locks existed in the admin database context (usec).
      • timeAcquiringMicros - Amount of time spent waiting to acquire a lock in the admin database context (usec).
    • local: Lock use in the local database.
      • timeLockedMicros - Amount of time locks existed in the local database context (usec).
      • timeAcquiringMicros - Amount of time spent waiting to acquire a lock in the local database context (usec).
    • search.<collection>: Locks used in each collection.
      • timeLockedMicros - Amount of time locks exist in the collection context (usec).
      • timeAcquiringMicros - Amount of time spent waiting to acquire a lock in the collection context (usec).
  • mem - Memory usage: System architecture and memory usage metrics.
    • bits - System address architecture: 32 or 64 bit architecture.
    • resident - Amount of RAM currently used by the database process (MB).
    • virtual - Amount of virtual memroy used (MB).
    • supported: true = supports extended memory information, false = does not support extended memory information.
    • mapped - Amount of mapped memory for database (MB).
    • mappedWithJournal - Amount of mapped memory, including journaling memory (MB). Always twice the size of mapped.
  • metrics - Current instance use and state:
    • cursor: Cursor state and use.
      • timedOut - Total number of cursors that have timed out since the server process started.
      • open: - Information about open cursors.
        • noTimeout - Number of open cursors with option set to prevent timeout after a period of inactivity.
        • pinned - Number of pinned open cursors.
        • total - Number of cursors maintained for clients, typically less than zero.
    • document: Information about document access and modification patterns and data use. Compare these values to opcounters data, which track total number of operations.
      • deleted - Total number of deleted documents.
      • inserted - Total number of inserted documents.
      • returned - Total number of documents returned by queries.
      • updated - Total number of updated documents.
    • getLastError: Information about getLastError use.
      • wtime: getLastError operation counts with a specified write concern that wait for one or more members of a replica set to acknowledge the write operation.
        • num - getLastError operation counts with a specified write concern that wait for one or more members of a replica set to acknowledge the write operation.
        • totalMillis - Amount of time spent performing getLastError operations with write concern that wait for one or more members of a replica set to acknowledge the write operation (msec).
      • wtimeouts - Number of times write concern operations timed out as a result of the wtimeout threshold to getLastError.
    • operation: Counters for several types of update and query operations handled using special operation types.
      • fastmod - Number of update operations that neither cause documents to grow nor require updates to the index.
      • idhack - Number of queries that contain the _key field.
      • scanAndOrder - Number of queries that return sorted numbers that cannot perform the sort operation using an index.
    • queryExecutor: Data from the query execution system.
      • scanned - Number of index items scanned during queries and query-plan evaluation.
      • scannedObjects - Total number of documents scanned during the query.
    • record: Data related to record allocation in the on-disk memory files.
      • moves - Number of times documents move within the on-disk representation of the data set. Documents move as a result of operations that increase the size of the document beyond their allocated record size.
    • repl: Metrics related to the ordered history of logical writes.
      • apply: - Information about the application of ordered history of logical writes.
        • batches: Information on the ordered history of logical writes application process on secondaries members of replica sets.
          • num - Number of batches applied across all databases.
          • totalMillis - Amount of time spent applying ordered history of logical write operations (msec).
        • ops - Number of ordered history of logical write operations.
      • buffer: Information to track the ordered history of logical write operations buffer.
        • count - Number of operations on the ordered history of logical writes buffer.
        • maxSizeBytes/ - Maximum size of the ordered history of logical writes buffer.
        • sizeBytes - Current size of the contents of the ordered history of logical writes buffer.
      • network: Network use information for the replication process.
        • bytes - Amount of data read from the replication sync source (bytes).
        • getmores: Information about queries for additional results from the ordered history of logical write operations cursor as part of the replication process.
          • num - Number of queries for additional results from the ordered history of logical write operations, which are operations that request an additional set of operations from the replication sync source.
          • totalMillis - Amount of time to collect data from queries for additional results from the ordered history of logical write operations (msec).
        • ops - Number of operations read from the replication source.
        • readersCreated - Number of queries for additional results from the ordered history of logical write operations processes created.
      • preload: Information about replication pre-fetch.
        • docs: Information about documents loaded into memory during replication pre-fetch.
          • num - Number of documents loaded during replication pre-fetch.
          • totalMillis - Amount of time spent loading documents as part of replication pre-fetch (msec).
        • indexes: Information about index items loaded into memory during replication pre-fetch.
          • num - Number of index entries loaded by members before updating documents as part of replication pre-fetch.
          • totalMillis - Amount of time spent loading index entries as part of replication pre-fetch (msec).
    • storage: Freelist behavior monitoring statistics.
      • freelist: Freelist bucket behavior monitoring statistics.
        • search: Freelist bucket behavior monitoring search statistics.
          • bucketExhausted - Number of times bucket fully searched, requiring advance to next bucket.
          • requests - Number of times the allocation function was called.
          • scanned - Number of freelist bucket entries examined.
    • ttl: Information about resource use of the ttl index process.
      • deletedDocuments - Number of documents deleted from collections with a ttl index.
      • passes - Number of times background process removes documents from collections with a ttl index.
  • network - Network use and state:
    • bytesIn - Amount of network traffic received by this database (bytes).
    • bytesOut- Amount of network traffic sent from this database (bytes).
    • numRequests - Number of distinct requests received by the server.
  • ok - Command return status: 1 = Success, 0 = Failure.
  • opcounters - Overview of database operations by type, similar to opcountersRepl:
    • insert - Number of insert operations since instance started.
    • query - Number of queries since instance started.
    • update - Number of update operations since instance started.
    • delete - Number of delete operations since instance started.
    • getmore - Number of getmore operations since instance started.
    • command - Number of commands issued since instance started.
  • opcountersRepl - Overview of replication operations by type, similar to opcounters:
    • insert - Number of replicated insert operations since instance started.
    • query - Number of replicated queries since instance started.
    • update - Number of replicated update operations since instance started.
    • delete - Number of replicated delete operations since instance started.
    • getmore - Number of replicated getmore operations since instance started.
    • command - Number of replicated commands issued since instance started.
  • pid - Process ID.
  • recordStats - Page fault statistics:
    • accessesNotInMemory - Number of times memory page accessed that was not resident in memory, for all databases.
    • pageFaultExceptionsThrown - Number of page fault exceptions thrown when accessing data for all databases.
    • admin: Admin database page fault statistics.
      • accessesNotInMemory - Number of times memory page accessed that was not resident in memory, for the admin database.
      • pageFaultExceptionsThrown - Number of page fault exceptions thrown when accessing data for the admin database.
    • local: Local database page fault statistics.
      • accessesNotInMemory - Number of times memory page accessed that was not resident in memory, for the local database.
      • pageFaultExceptionsThrown - Number of page fault exceptions thrown when accessing data for the local database.
    • search.<collection>: Search database page fault statistics.
      • accessesNotInMemory - Number of times memory page accessed that was not resident in memory, for the search database.
      • pageFaultExceptionsThrown - Number of page fault exceptions thrown when accessing data for the search database.
  • uptime - Amount of time database process has been active (seconds).
  • uptimeEstimate - Amount of time database process has been active as calculated from the internal, course-grained time keeping system (seconds).
  • uptimeMillis - Amount of time database process has been active (msec).
  • version - Version number (not used).
  • writeBacksQueued - Write-backs queued status: true = write-backs queued, false = write-backs not queued.

[ Top ]



server/introspection/search/saved


https://<host>:<mPort>/services/server/introspection/search/saved

Authentication: Required

Description

Access most recent scheduled search priority scores and score calculation adjustments.

Method summary
Method Description Formats
GET Enumerate scheduled search details. XML, JSON
GET server/introspection/search/saved method detail

Example

Request parameters

None

Response data keys
Name Description
final_score Most recent calculated priority score, based on adjustments and original score.
name Scheduled search name.
orig_score A score based on a search's originally scheduled run time.
owner Search scope or context owner. This could be a specific user or "nobody" for a search defined in an app or system-level scope.
priority_no Most recent calculated priority number for this search.
real_time_adj Real-time search priority adjustment. Real-time searches default to -80000 and continuous scheduled searches default to 0. This particular value is for internal purposes only and is subject to change.
runtime_adj Calculated value based on average search runtime.
skipped_adj Adjustment for number of times search has been skipped and search period. 0 means the search has not been skipped.
window_adj Adjustment for remaining time in search run window.



[ Top ]



server/status


https://<host>:<mPort>/services/server/status

Authentication: Not required

Description

Access system status information.

Method summary
Method Description Formats
GET Enumerate server/status endpoints. XML, JSON

GET server/status method detail

Example

Request parameters

None

Response data keys

List of /server/status/ child endpoints.

Note: The /server/status/limits/ and /server/status/resource-usage/ endpoints are not listed. A bug report is submitted.

[ Top ]



server/status/dispatch-artifacts


https://<host>:<mPort>/services/server/status/dispatch-artifacts

Authentication: Not required

Description

Access search job information.

Note: At least one observation period must pass after Splunk Enterprise startup for valid endpoint data to be available. The observation period is defined in the $SPLUNK_HOME/etc/system/default/server.conf file:

[introspection:generator:disk_objects] collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.

Method summary
Method Description Formats
GET Get information about dispatched search jobs. XML, JSON

GET server/status/dispatch-artifacts method detail

Example

Request parameters

None

Response data keys
Name Description
count_realtime Jobs active in the immediate past observation period, not including historical jobs.
count_scheduled Jobs active in the immediate past observation period, not including real-time jobs.
count_summary Jobs active in the immediate past observation period, not including non-summary jobs.
top_apps Top 15 apps in the past observation period, inapp:count key-value pair format.
top_named_searches Top 15 named searches in the past observation period, in savedSearchName:count key-value pair format.
top_users Top 15 users in the past observation period, in username:count key-value pair format, with count as the number of app contexts for the user.
total_count Number of dispatched search jobs since start-up.

[ Top ]



server/status/fishbucket


https://<host>:<mPort>/services/server/status/fishbucket

Authentication: Not required

Description

Access information about the private BTree database.

Note: At least one observation period must pass after Splunk Enterprise startup for valid endpoint data to be available. The observation period is defined in the $SPLUNK_HOME/etc/system/default/server.conf file:

[introspection:generator:disk_objects] collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.

Method summary
Method Description Formats
GET Get private Btree database information. XML, JSON

GET server/status/fishbucket method detail

Example

Request parameters

None

Response data keys
Name Description
key_count Number of file input records (keys) seen since start-up.
total_size Total number of file input records (keys).

[ Top ]



server/status/limits/search-concurrency


https://<host>:<mPort>/services/server/status/limits/search-concurrency

Authentication: Not required

Description

Access search concurrency metrics.

Method summary
Method Description Formats
GET Get search concurrency limits for a standalone Splunk Enterprise instance. XML, JSON

GET server/status/limits/search-concurrency method detail

Example

Request parameters

None

Response data keys
Name Description
max_auto_summary_searches Maximum number of auto summary searches.
max_hist_scheduled_searches Maximum number of historical scheduled searches.
max_hist_searches Maximum number of historical searches.
max_rt_scheduled_searches Maximum number of scheduled searches.
max_rt_searches Maximum number of real-time searches.

[ Top ]



server/status/partitions-space


https://<host>:<mPort>/services/server/status/partitions-space

Authentication: Not required

Description

Access disk utilization information for filesystems that have Splunk Enterprise disk objects, such as indexes, volumes, and logs. A filesystem can span multiple physical disk partitions.

Note: At least one observation period must pass after Splunk Enterprise startup for valid endpoint data to be available. The observation period is defined in the $SPLUNK_HOME/etc/system/default/server.conf file:

[introspection:generator:disk_objects] collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.

Method summary
Method Description Formats
GET Enumerate filesystem endpoints. XML, JSON

GET server/status/partitions-space method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
capacity Disk capacity (MB).
free Disk free space (MB).
fs_type File system type.

Example values:
Linux: ext2, ext3, ext4, qnx4
Solaris: ufs, zfs
Windows: ntfs, fat32
AIX: jfs
(not OS-specific) WORM: ISO9660, UDF13346
(not OS-specific); network-shared: SMB, CIFS, NFS
(not OS-specific) Veritas: VxFS.

mount_point Absolute path of the directory where this partition is mounted.

[ Top ]



server/status/resource-usage


https://<host>:<mPort>/services/server/status/resource-usage

Authentication: Not required

Description

Learn the current levels of resource (CPU, RAM, VM, I/O, file handle) utilization for entire host, and per Splunk-related processes.

Note: At least one observation period must pass after Splunk Enterprise startup for valid endpoint data to be available. The observation period is defined in the $SPLUNK_HOME/etc/system/default/server.conf file:

[introspection:generator:resource_usage] collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.

Method summary
Method Description Formats
GET Enumerate server/status/resource-usage/ endpoints. XML, JSON

GET server/status/resource-usage method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys

List of server/status/resource-usage/ endpoints.

[ Top ]



server/status/resource-usage/hostwide


https://<host>:<mPort>/services/server/status/resource-usage/hostwide

Authentication: Not required

Description

Access host-level, dynamic CPU utilization and paging information.

Note: At least one observation period must pass after Splunk Enterprise startup for valid endpoint data to be available. The observation period is defined in the $SPLUNK_HOME/etc/system/default/server.conf file:

[introspection:generator:resource_usage] collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.

Method summary
Method Description Formats
GET Get host-level, dynamic CPU utilization and paging information. XML, JSON

GET server/status/resource-usage/hostwide method detail

Example

Request parameters

None

Response data keys
Name Description
cpu_idle_pct Percentage of time CPU is idle. Value reported as 100.0 on Windows except for Vista+ and XP/Win2003 English-only OSes.
cpu_system_pct Percentage of time CPU is running in system mode. Missing from Windows except for Vista+ and XP/Win2003 English-only OSes.
cpu_user_pct Percentage of time CPU is running in user mode. Missing from Windows except for Vista+ and XP/Win2003 English-only OSes.
forks Cumulative number of forked processes since OS startup. Not available on Windows.
mem Total physical memory available (bytes).
mem_used Total physical memory used (bytes). The amount of actual physical memory minus the amount of physical memory currently available. This is the amount of physical memory that can be immediately reused without having to first write its contents to disk.
On Unix, mem_used = total_phys_ram - (free_mem + buffer_mem + cached_mem)
On Windows, mem_used = (memoryStatus.ullTotalPhys - memoryStatus.ullAvailPhys); See GlobalMemoryStatusEx function
normalized_load_avg_1min Normalized load average of runnable_process_count across all cores (cumulative_load_avg / number_of_cores). This value is not reliable for a VM guest.
pg_paged_out Cumulative VM page count paged since OS startup. Not available on Windows.
pg_swapped_out Cumulative pages swapped out since OS startup. Not available on Windows.
runnable_process_count Number of process running or in the runnable queue. Value reported as 1 on Windows except for Vista+ and XP/Win2003 English-only OSes.
swap Amount of disk allocated to swap (fractional MB).
swap_used Swap space currently in use (fractional MB).

[ Top ]



server/status/resource-usage/splunk-processes


https://<host>:<mPort>/services/server/status/resource-usage/splunk-processes

Authentication: Not required

Description

Access operating system resource utilization information.

Note: At least one observation period must pass after Splunk Enterprise startup for valid endpoint data to be available. The observation period is defined in the $SPLUNK_HOME/etc/system/default/server.conf file:

[introspection:generator:resource_usage] collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.

Method summary
Method Description Formats
GET Get process operating system resource utilization information. XML, JSON

GET server/status/resource-usage/splunk-processes method detail

Example

Request parameters

None

Response data keys
Name Description
args Non-search process arguments.
cpu_system_time Cumulative time this process has spent executing in kernel (incl. system calls). Extra field.
cpu_user_time Cumulative time this process has spent executing in user space (incl. library functions). Extra field.
elapsed Elapsed wall time, accurate to within the collection period.
fd_used Number of currently open files used by this process.
mem_unshared_data_used Amount of heap and stack used. Not available on Windows. Extra field.
mem_used Current amount of resident physical memory used (KB). (Usually far less deceiving than virtual memory because operating systems can be liberal with virtual memory size but never with resident memory size.)
On Windows, mem_used is obtained by reading the WorkingSetSize property returned by the GetProcessMemoryInfo() function (see GetProcessMemoryInfo function and PROCESS_MEMORY_COUNTERS structure).
page_faults Number of major page faults. Extra field.
pct_cpu Percentage of CPU used. Can spike briefly, so a single measurement is not reliable. Only interesting if >40% in several consecutive measurements.
pct_memory Percentage of physical memory used hostwide ((mem_used/available_host_memory) * 100).
pid Process ID.
ppid Parent process ID. Not available for all processes.
process Process name. The .exe suffix is stripped on Windows operating systems.
read_mb Amount of data read (MB), excluding cache reads.
search_props Search properties map of the following key:value pairs:
PropertyDescription
acceleration_idAcceleration ID.
appApp name.
modeSearch mode:
  • historical
  • historical batch
  • RT
  • RT indexed
provenanceSearch source:
  • cli
  • rest
  • ui:<App>:<View>
roleSplunk Enterprise platform role:
  • head
  • peer
sidSearch ID (SID).
typeSearch type:
  • ad-hoc
  • datamodel acceleration
  • other
  • report acceleration
  • scheduled
  • summary indexing
userSplunk Enterprise username who initiated the search.
status Status from the OS scheduler. Can be R (runnable or running), W (waiting), stopped, Z (zombie), or O (other). W includes voluntary sleep or blocking on I/O. O means status is knowable but does not fit into one of those categories. Not available on Windows.
t_count Current number of threads.
written_mb Amount of data written (MB), excluding canceled writes.

[ Top ]

Introspection endpoint examples

data/index-volumes GET

XML
XML Request

curl -k -u admin:passwd https://localhost:8089/services/data/index-volumes
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>introspection--disk-objects--volumes</title>
 <id>https://localhost:8089/services/data/index-volumes</id>
 <updated>2014-03-25T14:41:09-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>_splunk_summaries</title>
   <id>https://localhost:8089/services/data/index-volumes/_splunk_summaries</id>
   <updated>2014-03-25T14:41:09-07:00</updated>
   <link href="/services/data/index-volumes/_splunk_summaries" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/data/index-volumes/_splunk_summaries" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="max_size">infinite</s:key>
       <s:key name="name">_splunk_summaries</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


data/index-volumes/{name} GET

XML
XML Request

curl -k -u admin:passwd https://localhost:8089/services/data/index-volumes/_splunk_summaries
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>introspection--disk-objects--volumes</title>
 <id>https://localhost:8089/services/data/index-volumes</id>
 <updated>2014-03-27T14:35:26-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>_splunk_summaries</title>
   <id>https://localhost:8089/services/data/index-volumes/_splunk_summaries</id>
   <updated>2014-03-27T14:35:26-07:00</updated>
   <link href="/services/data/index-volumes/_splunk_summaries" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/data/index-volumes/_splunk_summaries" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="eai:attributes">... elided ...</s:key>
       <s:key name="max_size">infinite</s:key>
       <s:key name="name">_splunk_summaries</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


data/indexes GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/indexes
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>indexes</title>
 <id>https://localhost:8089/services/data/indexes</id>
 <updated>2011-07-11T18:09:22-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/indexes/_new" rel="create"/>
 <link href="/services/data/indexes/_reload" rel="_reload"/>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>_audit</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/indexes/_audit</id>
   <updated>2011-07-11T18:09:22-07:00</updated>
   <link href="/servicesNS/nobody/system/data/indexes/_audit" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/indexes/_audit" rel="list"/>
   <link href="/servicesNS/nobody/system/data/indexes/_audit/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/indexes/_audit" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/indexes/_audit/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="assureUTF8">0</s:key>
       <s:key name="blockSignSize">0</s:key>
       <s:key name="blockSignatureDatabase">_blocksignature</s:key>
       <s:key name="coldPath">$SPLUNK_DB/audit/colddb</s:key>
       <s:key name="coldPath_expanded">/home/amrit/temp/curl/splunk/var/lib/splunk/audit/colddb</s:key>
       <s:key name="coldToFrozenDir"/>
       <s:key name="coldToFrozenScript"/>
       <s:key name="compressRawdata">1</s:key>
       <s:key name="currentDBSizeMB">1</s:key>
       <s:key name="defaultDatabase">main</s:key>
       <s:key name="disabled">0</s:key>
          ... eai:acl element elided ...
       <s:key name="enableRealtimeSearch">1</s:key>
       <s:key name="frozenTimePeriodInSecs">188697600</s:key>
       <s:key name="homePath">$SPLUNK_DB/audit/db</s:key>
       <s:key name="homePath_expanded">/home/amrit/temp/curl/splunk/var/lib/splunk/audit/db</s:key>
       <s:key name="indexThreads">auto</s:key>
       <s:key name="isInternal">1</s:key>
       <s:key name="lastInitTime">1310432962.424512</s:key>
       <s:key name="maxConcurrentOptimizes">3</s:key>
       <s:key name="maxDataSize">auto</s:key>
       <s:key name="maxHotBuckets">3</s:key>
       <s:key name="maxHotIdleSecs">0</s:key>
       <s:key name="maxHotSpanSecs">7776000</s:key>
       <s:key name="maxMemMB">5</s:key>
       <s:key name="maxMetaEntries">1000000</s:key>
       <s:key name="maxRunningProcessGroups">20</s:key>
       <s:key name="maxTime">2011-07-10T22:20:53-0700</s:key>
       <s:key name="maxTotalDataSizeMB">500000</s:key>
       <s:key name="maxWarmDBCount">300</s:key>
       <s:key name="memPoolMB">auto</s:key>
       <s:key name="minRawFileSyncSecs">disable</s:key>
       <s:key name="minTime">2011-07-10T14:33:00-0700</s:key>
       <s:key name="partialServiceMetaPeriod">0</s:key>
       <s:key name="quarantineFutureSecs">2592000</s:key>
       <s:key name="quarantinePastSecs">77760000</s:key>
       <s:key name="rawChunkSizeBytes">131072</s:key>
       <s:key name="rotatePeriodInSecs">60</s:key>
       <s:key name="serviceMetaPeriod">25</s:key>
       <s:key name="suppressBannerList"/>
       <s:key name="sync">0</s:key>
       <s:key name="syncMeta">1</s:key>
       <s:key name="thawedPath">$SPLUNK_DB/audit/thaweddb</s:key>
       <s:key name="thawedPath_expanded">/home/amrit/temp/curl/splunk/var/lib/splunk/audit/thaweddb</s:key>
       <s:key name="throttleCheckPeriod">15</s:key>
       <s:key name="totalEventCount">230</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


data/indexes POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/indexes -d name=Shadow
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>indexes</title>
 <id>https://localhost:8089/servicesNS/admin/search/data/indexes</id>
 <updated>2011-05-13T13:09:27-07:00</updated>
 <generator version="98392"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/admin/search/data/indexes/_new" rel="create"/>
 <link href="/servicesNS/admin/search/data/indexes/_reload" rel="_reload"/>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>shadow</title>
   <id>https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow</id>
   <updated>2011-05-13T13:09:27-07:00</updated>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="list"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="assureUTF8">0</s:key>
       <s:key name="blockSignSize">0</s:key>
       <s:key name="blockSignatureDatabase">_blocksignature</s:key>
       <s:key name="coldPath">$SPLUNK_DB/shadow/colddb</s:key>
       <s:key name="coldPath_expanded">/Applications/splunk/var/lib/splunk/shadow/colddb</s:key>
       <s:key name="coldToFrozenDir"></s:key>
       <s:key name="coldToFrozenScript"></s:key>
       <s:key name="compressRawdata">1</s:key>
       <s:key name="currentDBSizeMB">1</s:key>
       <s:key name="defaultDatabase">main</s:key>
       <s:key name="eai:acl">. . .</s:key>
       <s:key name="enableRealtimeSearch">1</s:key>
       <s:key name="frozenTimePeriodInSecs">188697600</s:key>
       <s:key name="homePath">$SPLUNK_DB/shadow/db</s:key>
       <s:key name="homePath_expanded">/Applications/splunk/var/lib/splunk/shadow/db</s:key>
       <s:key name="indexThreads">auto</s:key>
       <s:key name="isInternal">0</s:key>
       <s:key name="lastInitTime">1305317367.331268</s:key>
       <s:key name="maxConcurrentOptimizes">3</s:key>
       <s:key name="maxDataSize">auto</s:key>
       <s:key name="maxHotBuckets">3</s:key>
       <s:key name="maxHotIdleSecs">0</s:key>
       <s:key name="maxHotSpanSecs">7776000</s:key>
       <s:key name="maxMemMB">5</s:key>
       <s:key name="maxMetaEntries">1000000</s:key>
       <s:key name="maxTime"></s:key>
       <s:key name="maxTotalDataSizeMB">500000</s:key>
       <s:key name="maxWarmDBCount">300</s:key>
       <s:key name="memPoolMB">auto</s:key>
       <s:key name="minRawFileSyncSecs">disable</s:key>
       <s:key name="minTime"></s:key>
       <s:key name="partialServiceMetaPeriod">0</s:key>
       <s:key name="quarantineFutureSecs">2592000</s:key>
       <s:key name="quarantinePastSecs">77760000</s:key>
       <s:key name="rawChunkSizeBytes">131072</s:key>
       <s:key name="rotatePeriodInSecs">60</s:key>
       <s:key name="serviceMetaPeriod">25</s:key>
       <s:key name="suppressBannerList"></s:key>
       <s:key name="sync">0</s:key>
       <s:key name="syncMeta">1</s:key>
       <s:key name="thawedPath">$SPLUNK_DB/shadow/thaweddb</s:key>
       <s:key name="thawedPath_expanded">/Applications/splunk/var/lib/splunk/shadow/thaweddb</s:key>
       <s:key name="throttleCheckPeriod">15</s:key>
       <s:key name="totalEventCount">0</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


data/indexes/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/services/data/indexes/shadow
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>indexes</title>
 <id>https://localhost:8089/services/data/indexes</id>
 <updated>2012-08-02T11:10:16-07:00</updated>
 <generator build="131547" version="5.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/indexes/_new" rel="create"/>
 <link href="/services/data/indexes/_reload" rel="_reload"/>
    ... opensearch elements elided ...
 <s:messages/>

</feed>


data/indexes/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>indexes</title>
 <id>https://localhost:8089/servicesNS/nobody/search/data/indexes</id>
 <updated>2011-08-01T12:25:34-07:00</updated>
 <generator version="105103"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/nobody/search/data/indexes/_new" rel="create"/>
 <link href="/servicesNS/nobody/search/data/indexes/_reload" rel="_reload"/>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>shadow</title>
   <id>https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow</id>
   <updated>2011-08-01T11:47:55-07:00</updated>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="list"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="edit"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="assureUTF8">0</s:key>
       <s:key name="blockSignSize">0</s:key>
       <s:key name="blockSignatureDatabase">_blocksignature</s:key>
       <s:key name="bloomfilterTotalSizeKB">0</s:key>
       <s:key name="coldPath">$SPLUNK_DB/shadow/colddb</s:key>
       <s:key name="coldPath_expanded">/home/amrit/bin/splunk-current/var/lib/splunk/shadow/colddb</s:key>
       <s:key name="coldToFrozenDir"/>
       <s:key name="coldToFrozenScript"/>
       <s:key name="compressRawdata">1</s:key>
       <s:key name="currentDBSizeMB">1</s:key>
       <s:key name="defaultDatabase">main</s:key>
       <s:key name="disabled">0</s:key>
          ...eai:acl element elided ...
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list>
               <s:item>assureUTF8</s:item>
               <s:item>blockSignSize</s:item>
               <s:item>coldToFrozenDir</s:item>
               <s:item>coldToFrozenScript</s:item>
               <s:item>compressRawdata</s:item>
               <s:item>frozenTimePeriodInSecs</s:item>
               <s:item>maxConcurrentOptimizes</s:item>
               <s:item>maxDataSize</s:item>
               <s:item>maxHotBuckets</s:item>
               <s:item>maxHotIdleSecs</s:item>
               <s:item>maxHotSpanSecs</s:item>
               <s:item>maxMemMB</s:item>
               <s:item>maxMetaEntries</s:item>
               <s:item>maxRunningProcessGroups</s:item>
               <s:item>maxTotalDataSizeMB</s:item>
               <s:item>maxWarmDBCount</s:item>
               <s:item>minRawFileSyncSecs</s:item>
               <s:item>partialServiceMetaPeriod</s:item>
               <s:item>quarantineFutureSecs</s:item>
               <s:item>quarantinePastSecs</s:item>
               <s:item>rawChunkSizeBytes</s:item>
               <s:item>rotatePeriodInSecs</s:item>
               <s:item>serviceMetaPeriod</s:item>
               <s:item>suppressBannerList</s:item>
               <s:item>syncMeta</s:item>
               <s:item>throttleCheckPeriod</s:item>
             </s:list>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="enableRealtimeSearch">1</s:key>
       <s:key name="frozenTimePeriodInSecs">188697600</s:key>
       <s:key name="homePath">$SPLUNK_DB/shadow/db</s:key>
       <s:key name="homePath_expanded">/home/amrit/bin/splunk-current/var/lib/splunk/shadow/db</s:key>
       <s:key name="indexThreads">auto</s:key>
       <s:key name="isInternal">0</s:key>
       <s:key name="lastInitTime">1312226552.102920</s:key>
       <s:key name="maxConcurrentOptimizes">3</s:key>
       <s:key name="maxDataSize">auto</s:key>
       <s:key name="maxHotBuckets">3</s:key>
       <s:key name="maxHotIdleSecs">0</s:key>
       <s:key name="maxHotSpanSecs">7776000</s:key>
       <s:key name="maxMemMB">5</s:key>
       <s:key name="maxMetaEntries">1000000</s:key>
       <s:key name="maxRunningProcessGroups">20</s:key>
       <s:key name="maxTime"/>
       <s:key name="maxTotalDataSizeMB">500000</s:key>
       <s:key name="maxWarmDBCount">300</s:key>
       <s:key name="memPoolMB">auto</s:key>
       <s:key name="minRawFileSyncSecs">disable</s:key>
       <s:key name="minTime"/>
       <s:key name="numBloomfilters">0</s:key>
       <s:key name="numHotBuckets">0</s:key>
       <s:key name="numWarmBuckets">0</s:key>
       <s:key name="partialServiceMetaPeriod">0</s:key>
       <s:key name="quarantineFutureSecs">2592000</s:key>
       <s:key name="quarantinePastSecs">77760000</s:key>
       <s:key name="rawChunkSizeBytes">131072</s:key>
       <s:key name="rotatePeriodInSecs">60</s:key>
       <s:key name="serviceMetaPeriod">25</s:key>
       <s:key name="suppressBannerList"/>
       <s:key name="sync">0</s:key>
       <s:key name="syncMeta">1</s:key>
       <s:key name="thawedPath">$SPLUNK_DB/shadow/thaweddb</s:key>
       <s:key name="thawedPath_expanded">/home/amrit/bin/splunk-current/var/lib/splunk/shadow/thaweddb</s:key>
       <s:key name="throttleCheckPeriod">15</s:key>
       <s:key name="totalEventCount">0</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


data/indexes/{name} POST

XML
XML Request

curl -k -u admin:pass -d maxTotalDataSizeMB=400000 https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>indexes</title>
 <id>https://localhost:8089/servicesNS/nobody/search/data/indexes</id>
 <updated>2011-05-16T12:20:06-07:00</updated>
 <generator version="98392"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/nobody/search/data/indexes/_new" rel="create"/>
 <link href="/servicesNS/nobody/search/data/indexes/_reload" rel="_reload"/>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>shadow</title>
   <id>https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow</id>
   <updated>2011-05-16T12:18:56-07:00</updated>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="list"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="assureUTF8">0</s:key>
       <s:key name="blockSignSize">0</s:key>
       <s:key name="blockSignatureDatabase">_blocksignature</s:key>
       <s:key name="coldPath">$SPLUNK_DB/shadow/colddb</s:key>
       <s:key name="coldPath_expanded">/Applications/splunk4.3/var/lib/splunk/shadow/colddb</s:key>
       <s:key name="coldToFrozenDir"></s:key>
       <s:key name="coldToFrozenScript"></s:key>
       <s:key name="compressRawdata">1</s:key>
       <s:key name="currentDBSizeMB">1</s:key>
       <s:key name="defaultDatabase">main</s:key>
       <s:key name="eai:acl">. . .</s:key>
       <s:key name="enableRealtimeSearch">1</s:key>
       <s:key name="frozenTimePeriodInSecs">188697600</s:key>
       <s:key name="homePath">$SPLUNK_DB/shadow/db</s:key>
       <s:key name="homePath_expanded">/Applications/splunk4.3/var/lib/splunk/shadow/db</s:key>
       <s:key name="indexThreads">auto</s:key>
       <s:key name="isInternal">0</s:key>
       <s:key name="lastInitTime">1305573611.118477</s:key>
       <s:key name="maxConcurrentOptimizes">3</s:key>
       <s:key name="maxDataSize">auto</s:key>
       <s:key name="maxHotBuckets">3</s:key>
       <s:key name="maxHotIdleSecs">0</s:key>
       <s:key name="maxHotSpanSecs">7776000</s:key>
       <s:key name="maxMemMB">5</s:key>
       <s:key name="maxMetaEntries">1000000</s:key>
       <s:key name="maxTime"></s:key>
       <s:key name="maxTotalDataSizeMB">400000</s:key>
       <s:key name="maxWarmDBCount">300</s:key>
       <s:key name="memPoolMB">auto</s:key>
       <s:key name="minRawFileSyncSecs">disable</s:key>
       <s:key name="minTime"></s:key>
       <s:key name="partialServiceMetaPeriod">0</s:key>
       <s:key name="quarantineFutureSecs">2592000</s:key>
       <s:key name="quarantinePastSecs">77760000</s:key>
       <s:key name="rawChunkSizeBytes">131072</s:key>
       <s:key name="rotatePeriodInSecs">60</s:key>
       <s:key name="serviceMetaPeriod">25</s:key>
       <s:key name="suppressBannerList"></s:key>
       <s:key name="sync">0</s:key>
       <s:key name="syncMeta">1</s:key>
       <s:key name="thawedPath">$SPLUNK_DB/shadow/thaweddb</s:key>
       <s:key name="thawedPath_expanded">/Applications/splunk4.3/var/lib/splunk/shadow/thaweddb</s:key>
       <s:key name="throttleCheckPeriod">15</s:key>
       <s:key name="totalEventCount">0</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


data/indexes-extended GET

XML
XML Request

curl -k -u admin:passwd https://localhost:8089/services/data/indexes-extended
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>introspection--disk-objects--indexes</title>
 <id>https://localhost:8089/services/data/indexes-extended</id>
 <updated>2014-03-31T12:41:09-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
   ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>_audit</title>
   <id>https://localhost:8089/services/data/indexes-extended/_audit</id>
   <updated>2014-03-31T12:41:09-07:00</updated>
   <link href="/services/data/indexes-extended/_audit" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/data/indexes-extended/_audit" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="bucket_dirs">
         <s:dict>
           <s:key name="cold">
             <s:dict>
               <s:key name="bucket_count">0</s:key>
               <s:key name="size">0.000</s:key>
             </s:dict>
           </s:key>
           <s:key name="home">
             <s:dict>
               <s:key name="event_count">6169</s:key>
               <s:key name="event_max_time">1395246673</s:key>
               <s:key name="event_min_time">1394732683</s:key>
               <s:key name="hot_bucket_count">1</s:key>
               <s:key name="size">1.000</s:key>
               <s:key name="warm_bucket_count">5</s:key>
             </s:dict>
           </s:key>
           <s:key name="thawed">
             <s:dict>
               <s:key name="bucket_count">0</s:key>
               <s:key name="size">0.000</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="name">_audit</s:key>
       <s:key name="total_bucket_count">6</s:key>
       <s:key name="total_event_count">18096</s:key>
       <s:key name="total_raw_size">1.000</s:key>
       <s:key name="total_size">1.000</s:key>
     </s:dict>
   </content>
 </entry>
     .
     .
     .
   elided
     .
     .
     .
 <entry>
   <title>summary</title>
   <id>https://localhost:8089/services/data/indexes-extended/summary</id>
   <updated>2014-03-31T12:41:09-07:00</updated>
   <link href="/services/data/indexes-extended/summary" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/data/indexes-extended/summary" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="name">summary</s:key>
       <s:key name="total_size">0.000</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


data/indexes-extended/{name} GET

XML
XML Request

curl -k -u admin:passwd https://localhost:8089/services/data/indexes-extended/history
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>introspection--disk-objects--indexes</title>
 <id>https://localhost:8089/services/data/indexes-extended</id>
 <updated>2014-03-31T12:42:29-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
   ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>_internal</title>
   <id>https://localhost:8089/services/data/indexes-extended/_internal</id>
   <updated>2014-03-31T12:42:29-07:00</updated>
   <link href="/services/data/indexes-extended/_internal" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/data/indexes-extended/_internal" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="bucket_dirs">
         <s:dict>
           <s:key name="cold">
             <s:dict>
               <s:key name="bucket_count">0</s:key>
               <s:key name="size">0.000</s:key>
             </s:dict>
           </s:key>
           <s:key name="home">
             <s:dict>
               <s:key name="event_count">180492</s:key>
               <s:key name="event_max_time">1395246673</s:key>
               <s:key name="event_min_time">1392167582</s:key>
               <s:key name="hot_bucket_count">3</s:key>
               <s:key name="size">9.000</s:key>
               <s:key name="warm_bucket_count">6</s:key>
             </s:dict>
           </s:key>
           <s:key name="thawed">
             <s:dict>
               <s:key name="bucket_count">0</s:key>
               <s:key name="size">0.000</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="eai:attributes">
         ... elided ...
       </s:key>
       <s:key name="name">_internal</s:key>
       <s:key name="total_bucket_count">9</s:key>
       <s:key name="total_event_count">556322</s:key>
       <s:key name="total_raw_size">28.000</s:key>
       <s:key name="total_size">22.000</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


server/info GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/info
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>server-info</title>
 <id>https://localhost:8089/services/server/info</id>
 <updated>2014-08-04T15:48:10-07:00</updated>
 <generator build="221120" version="6.2"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>server-info</title>
   <id>https://localhost:8089/services/server/info/server-info</id>
   <updated>2014-08-04T15:48:10-07:00</updated>
   <link href="/services/server/info/server-info" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/info/server-info" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="activeLicenseGroup">Enterprise</s:key>
       <s:key name="addOns">
         <s:dict>
           <s:key name="hadoop">
             <s:dict>
               <s:key name="parameters">
                 <s:dict>
                   <s:key name="erp_type">report</s:key>
                   <s:key name="maxNodes">10</s:key>
                 </s:dict>
               </s:key>
               <s:key name="type">external_results_provider</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="build">221120</s:key>
       <s:key name="cpu_arch">x64</s:key>
       <s:key name="eai:acl"> ... elided ... </s:key>
       <s:key name="guid">9CBD8473-4E7D-4FF2-A042-050C5C27C298</s:key>
       <s:key name="host">myHostName</s:key>
       <s:key name="host_fqdn">myHostName</s:key>
       <s:key name="isFree">0</s:key>
       <s:key name="isTrial">0</s:key>
       <s:key name="kv_store_status">Could not find task executor for type 'kv_store_status'</s:key>
       <s:key name="licenseKeys">
         <s:list>
           <s:item>31BB75AA379A50F9225471053337B6E438C4C7A1F42A905AB93AF16C9A12124E</s:item>
         </s:list>
       </s:key>
       <s:key name="licenseSignature">2f121cff440e115470154cdf92e208b5</s:key>
       <s:key name="licenseState">OK</s:key>
       <s:key name="license_labels">
         <s:list>
           <s:item>Splunk xyz License</s:item>
         </s:list>
       </s:key>
       <s:key name="master_guid">9CBD8473-4E7D-4FF2-A042-050C5C27C298</s:key>
       <s:key name="max_users">4294967295</s:key>
       <s:key name="mode">normal</s:key>
       <s:key name="numberOfCores">2</s:key>
       <s:key name="os_build">6</s:key>
       <s:key name="os_name">Windows</s:key>
       <s:key name="os_version">1</s:key>
       <s:key name="physicalMemoryMB">3982</s:key>
       <s:key name="product_type">splunk</s:key>
       <s:key name="rtsearch_enabled">1</s:key>
       <s:key name="serverName">myHostName</s:key>
       <s:key name="server_roles">
         <s:dict>
           <s:key name="indexer"/>
           <s:key name="license_master"/>
           <s:key name="management_console"/>
         </s:dict>
       </s:key>
       <s:key name="startup_time">1407182814</s:key>
       <s:key name="version">6.2</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



server/introspection GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/introspection
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot;>

<title></title>
 <id>https://localhost:8089/services/server/introspection</id>
 <updated>2014-08-04T11:40:23-07:00</updated>
 <generator build="221120" version="6.2"/>
 <author>
   <name>Splunk</name>
 </author>
 <s:messages/>
 <entry>
   <title>indexer</title>
   <id>https://localhost:8089/services/server/introspection/indexer</id>
   <updated>2014-08-04T11:40:23-07:00</updated>
   <link href="/services/server/introspection/indexer" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/indexer" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>kvstore</title>
   <id>https://localhost:8089/services/server/introspection/kvstore</id>
   <updated>2014-08-04T11:40:23-07:00</updated>
   <link href="/services/server/introspection/kvstore" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/kvstore" rel="list"/>
   <link href="/services/server/introspection/kvstore/_reload" rel="_reload"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>pipelines</title>
   <id>https://localhost:8089/services/server/introspection/pipelines</id>
   <updated>2014-08-04T11:40:23-07:00</updated>
   <link href="/services/server/introspection/pipelines" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/pipelines" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>processors</title>
   <id>https://localhost:8089/services/server/introspection/processors</id>
   <updated>2014-08-04T11:40:23-07:00</updated>
   <link href="/services/server/introspection/processors" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/processors" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>queues</title>
   <id>https://localhost:8089/services/server/introspection/queues</id>
   <updated>2014-08-04T11:40:23-07:00</updated>
   <link href="/services/server/introspection/queues" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/queues" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>

</feed>


server/introspection/indexer GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/introspection/indexer
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>introspection-indexer</title>
 <id>https://localhost:8089/services/server/introspection/indexer</id>
 <updated>2014-08-04T11:43:04-07:00</updated>
 <generator build="221120" version="6.2"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>indexer</title>
   <id>https://localhost:8089/services/server/introspection/indexer/indexer</id>
   <updated>2014-08-04T11:43:04-07:00</updated>
   <link href="/services/server/introspection/indexer/indexer" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/indexer/indexer" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="average_KBps">0.517667</s:key>
       <s:key name="eai:acl">... elided ...</s:key>
       <s:key name="reason">.</s:key>
       <s:key name="status">nominal</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


server/introspection/kvstore GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/introspection/kvstore
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot;>

<title></title>
 <id>https://localhost:8089/services/server/introspection/kvstore</id>
 <updated>2014-08-20T14:06:12-07:00</updated>
 <generator build="221120" version="6.2"/>
 <author>
   <name>Splunk</name>
 </author>
 <s:messages/>
 <entry>
   <title>collectionstats</title>
   <id>https://localhost:8089/services/server/introspection/kvstore/collectionstats</id>
   <updated>2014-08-20T14:06:12-07:00</updated>
   <link href="/services/server/introspection/kvstore/collectionstats" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/kvstore/collectionstats" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>replicasetstats</title>
   <id>https://localhost:8089/services/server/introspection/kvstore/replicasetstats</id>
   <updated>2014-08-20T14:06:12-07:00</updated>
   <link href="/services/server/introspection/kvstore/replicasetstats" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/kvstore/replicasetstats" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>serverstatus</title>
   <id>https://localhost:8089/services/server/introspection/kvstore/serverstatus</id>
   <updated>2014-08-20T14:06:12-07:00</updated>
   <link href="/services/server/introspection/kvstore/serverstatus" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/kvstore/serverstatus" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>

</feed>


server/introspection/kvstore/collectionstats GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/introspection/kvstore/collectionstats
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;> <title>kvstore-collectionstats</title> <id>https://localhost:8089/services/server/introspection/kvstore/collectionstats</id> <updated>2014-08-20T14:31:42-07:00</updated> <generator build="226873" version="6.2"/> <author>

<name>Splunk</name>

</author> ... opensearch nodes elided ... <s:messages/> <entry>

<title>collectionStats</title>
 <id>https://localhost:8089/services/server/introspection/kvstore/collectionstats/collectionStats</id>
 <updated>2014-08-20T14:31:42-07:00</updated>
 <link href="/services/server/introspection/kvstore/collectionstats/collectionStats" rel="alternate"/>
 <author>
   <name>system</name>
 </author>
 <link href="/services/server/introspection/kvstore/collectionstats/collectionStats" rel="list"/>
 <content type="text/xml">
   <s:dict>
     <s:key name="data">
       <s:list>
         <s:item>
         {"ns":"search.kvstoredemo",
          "count":0,
          "size":0,
          "storageSize":8192,
          "numExtents":1,
          "nindexes":2,
          "lastExtentSize":8192,
          "paddingFactor":1,
          "systemFlags":1,
          "userFlags":1,
          "totalIndexSize":16352,
          "indexSizes":{"_id_":8176,"_UserAndKeyUniqueIndex":8176},
          "ok":1}
         </s:item>
       </s:list>
     </s:key>
     <s:key name="eai:acl"> ... elided ...</s:key>
   </s:dict>
 </content>

</entry> </feed>


server/introspection/kvstore/replicasetstats GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/introspection/kvstore/replicasetstats
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;> <title>kvstore-collectionstats</title> <id>https://localhost:8089/services/server/introspection/kvstore/collectionstats</id> <updated>2014-08-20T14:31:42-07:00</updated> <generator build="226873" version="6.2"/> <author>

<name>Splunk</name>

</author>

  ... opensearch nodes elided ... <s:messages/>

<entry>

<title>replicasetstats</title>
<id>https://localhost:8089/services/server/introspection/kvstore/replicasetstats/replicasetstats</id>
<updated>2014-08-20T14:31:42-07:00</updated>
<link href="/services/server/introspection/kvstore/replicasetstats/replicasetstats" rel="alternate"/>
<author>
  <name>system</name>
</author>
<link href="/services/server/introspection/kvstore/replicasetstats/replicasetstats" rel="list"/>
<content type="text/xml">
  <s:dict>
    <s:key name="data">
      <s:list>
        <s:item>
           {
             "replSetStats": {
               "set": "splunkrs",
               "date": 1412203576000,
               "myState": 2,
               "syncingTo": "54.xxx.xxx.xxx:8191",
               "members": [
                 {
                   "_id": 2,
                   "name": "54.xxx.xxx.xxx:8191",
                   "health": 1,
                   "state": 2,
                   "stateStr": "SECONDARY",
                   "uptime": 102409,
                   "optime": {
                     "t": 1412101153,
                     "i": 1
                   },
                   "optimeDate": 1412101153000,
                   "lastHeartbeat": 1412203575000,
                   "lastHeartbeatRecv": 1412203575000,
                   "pingMs": 1,
                   "syncingTo": "54.xxx.xxx.xxx:8191"
                 },
                 {
                   "_id": 3,
                   "name": "54.xxx.xxx.yyy:8191",
                   "health": 1,
                   "state": 2,
                   "stateStr": "SECONDARY",
                   "uptime": 102409,
                   "optime": {
                     "t": 1412101153,
                     "i": 1
                   },
                   "optimeDate": 1412101153000,
                   "lastHeartbeat": 1412203576000,
                   "lastHeartbeatRecv": 1412203575000,
                   "pingMs": 1,
                   "syncingTo": "54.xxx.xxx.yyy:8191"
                 },
                         .
                         .
                         .
                       elided
                         .
                         .
                         .
                 {
                   "_id": 17,
                   "name": "54.xxx.xxx.zzz:8191",
                   "health": 1,
                   "state": 2,
                   "stateStr": "SECONDARY",
                   "uptime": 102409,
                   "optime": {
                     "t": 1412101153,
                     "i": 1
                   },
                   "optimeDate": 1412101153000,
                   "lastHeartbeat": 1412203574000,
                   "lastHeartbeatRecv": 1412203575000,
                   "pingMs": 1,
                   "syncingTo": "54.xxx.xxx.zzz:8191"
                 }
               ],
               "ok": 1
             },
             "oplogInfo": {
               "start": 1412022009000,
               "end": 1412101153000,
               "collectionStats": {
                 "ns": "local.oplog.rs",
                 "count": 631,
                 "size": 166964,
                 "avgObjSize": 264,
                 "storageSize": 1048580080,
                 "numExtents": 3,
                 "nindexes": 0,
                 "lastExtentSize": 4096,
                 "paddingFactor": 1,
                 "systemFlags": 0,
                 "userFlags": 0,
                 "totalIndexSize": 0,
                 "indexSizes": {},
                 "capped": true,
                 "max": 9223372036854775808.000000,
                 "ok": 1
               },
               "sources": {}
             }
           }
       </s:item>
      </s:list>
    </s:key>
    <s:key name="eai:acl"> ... elided ...</s:key>
  </s:dict>
</content>

</entry> </feed>


server/introspection/kvstore/serverstatus GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/introspection/kvstore/serverstatus
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;> <title>kvstore-serverstatus</title> <id>https://localhost:8089/services/server/introspection/kvstore/serverstatus</id> <updated>2014-08-20T14:26:42-07:00</updated> <generator build="226873" version="6.2"/> <author>

<name>Splunk</name>

</author> ... opensearch nodes elided ... <s:messages/> <entry>

<title>serverStatus</title>
 <id>https://localhost:8089/services/server/introspection/kvstore/serverstatus/serverStatus</id>
 <updated>2014-08-20T14:26:42-07:00</updated>
 <link href="/services/server/introspection/kvstore/serverstatus/serverStatus" rel="alternate"/>
 <author>
   <name>system</name>
 </author>
 <link href="/services/server/introspection/kvstore/serverstatus/serverStatus" rel="list"/>
 <content type="text/xml">
   <s:dict>
     <s:key name="data">
       <![CDATA[{

"host":"localhost:8089", "version":"2.6.3", "pid":23009, "uptime":19049, "uptimeMillis":19049447, "uptimeEstimate":18295, "localTime":{"$date":1408570002615}, "asserts":{ "regular":0, "warning":0, "msg":0, "user":0, "rollovers":0}, "backgroundFlushing":{ "flushes":317, "total_ms":11523, "average_ms":36.350158, "last_ms":0, "last_finished":{"$date":1408569973325}}, "connections":{ "current":7, "available":3269, "totalCreated":7}, "cursors":{ "note":"deprecated, use server status metrics", "clientCursors_size":0, "totalOpen":0, "pinned":0, "totalNoTimeout":0, "timedOut":0}, "dur":{ "commits":30, "journaledMB":0, "writeToDataFilesMB":0, "compression":0, "commitsInWriteLock":0, "earlyCommits":0, "timeMs":{ "dt":3072, "prepLogBuffer":0, "writeToJournal":0, "writeToDataFiles":0, "remapPrivateView":0}}, "extra_info":{ "note":"fields vary by platform", "heap_usage_bytes":67624592, "page_faults":3}, "globalLock":{ "totalTime":19049447000, "lockTime":1491098, "currentQueue":{ "total":0, "readers":0, "writers":0}, "activeClients":{ "total":0, "readers":0, "writers":0}}, "indexCounters":{ "accesses":2, "hits":2, "misses":0, "resets":0, "missRatio":0}, "locks":{ ".":{ "timeLockedMicros":{ "R":2926340, "W":1491098}, "timeAcquiringMicros":{ "R":1458997, "W":342703}}, "admin":{ "timeLockedMicros":{ "r":103638, "w":0}, "timeAcquiringMicros":{ "r":13202, "w":0}}, "local":{ "timeLockedMicros":{ "r":426518, "w":237}, "timeAcquiringMicros":{ "r":185505, "w":12}}, "search.kvstoredemo":{ "timeLockedMicros":{ "r":2832888, "w":292}, "timeAcquiringMicros":{ "r":1310820, "w":17}}}, "network":{ "bytesIn":1133611, "bytesOut":11628162, "numRequests":12070}, "opcounters":{ "insert":1, "query":4760, "update":0, "delete":0, "getmore":0, "command":8264}, "opcountersRepl":{ "insert":0, "query":0, "update":0, "delete":0, "getmore":0, "command":0}, "recordStats":{ "accessesNotInMemory":0, "pageFaultExceptionsThrown":0, "admin":{ "accessesNotInMemory":0, "pageFaultExceptionsThrown":0}, "local":{ "accessesNotInMemory":0, "pageFaultExceptionsThrown":0}, "search.kvstoredemo":{ "accessesNotInMemory":0, "pageFaultExceptionsThrown":0}}, "writeBacksQueued":false, "mem":{ "bits":64, "resident":58, "virtual":325, "supported":true, "mapped":64, "mappedWithJournal":128}, "metrics":{ "cursor":{ "timedOut":0, "open":{ "noTimeout":0, "pinned":0, "total":0}}, "document":{ "deleted":0, "inserted":1, "returned":2, "updated":0}, "getLastError":{ "wtime":{ "num":0, "totalMillis":0}, "wtimeouts":0}, "operation":{ "fastmod":0, "idhack":0, "scanAndOrder":0}, "queryExecutor":{ "scanned":0, "scannedObjects":0}, "record":{"moves":0}, "repl":{ "apply":{ "batches":{ "num":0, "totalMillis":0}, "ops":0}, "buffer":{ "count":0, "maxSizeBytes":268435456, "sizeBytes":0}, "network":{ "bytes":0, "getmores":{ "num":0, "totalMillis":0}, "ops":0, "readersCreated":0}, "preload":{ "docs":{ "num":0, "totalMillis":0}, "indexes":{ "num":0, "totalMillis":0}}}, "storage":{ "freelist":{ "search":{ "bucketExhausted":0, "requests":0, "scanned":0}}}, "ttl":{ "deletedDocuments":0, "passes":317}}, "ok":1}]]>

    </s:key>
     <s:key name="eai:acl"> ... elided ... </s:key>
   </s:dict>
 </content>

</entry> </feed>


server/introspection/search/saved GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/server/introspection/search/saved
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>introspection-savedsearches</title>
  <id>https://localhost:8089/services/server/introspection/search/saved</id>
  <updated>2015-06-03T16:41:21-07:00</updated>
  <generator build="6cfc0237739f" version="6.3.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/introspection/search/saved/_acl" rel="_acl"/>
  <opensearch:totalResults>2</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>admin;search;search_1</title>
    <id>https://localhost:8089/services/server/introspection/search/saved/admin%3Bsearch%3Bsearch_1</id>
    <updated>2015-06-03T16:41:21-07:00</updated>
    <link href="/services/server/introspection/search/saved/admin%3Bsearch%3Bsearch_1” rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/saved/admin%3Bsearch%3Bsearch_1” rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="final_score">1433294868</s:key>
        <s:key name="name">search_1</s:key>
        <s:key name="orig_score">1433374860</s:key>
        <s:key name="owner">admin</s:key>
        <s:key name="priority_no">1</s:key>
        <s:key name="real_time_adj">-80000</s:key>
        <s:key name="runtime_adj">8</s:key>
        <s:key name="skipped_adj">0</s:key>
        <s:key name="window_adj">0</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>nobody;search;Errors in the last hour</title>
    <id>https://localhost:8089/services/server/introspection/search/saved/nobody%3Bsearch%3BErrors%20in%20the%20last%20hour</id>
    <updated>2015-06-03T16:41:21-07:00</updated>
    <link href="/services/server/introspection/search/saved/nobody%3Bsearch%3BErrors%20in%20the%20last%20hour" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/saved/nobody%3Bsearch%3BErrors%20in%20the%20last%20hour" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="final_score">1433294980</s:key>
        <s:key name="name">Errors in the last hour</s:key>
        <s:key name="orig_score">1433374860</s:key>
        <s:key name="owner">nobody</s:key>
        <s:key name="priority_no">2</s:key>
        <s:key name="real_time_adj">-80000</s:key>
        <s:key name="runtime_adj">1</s:key>
        <s:key name="skipped_adj">0</s:key>
        <s:key name="window_adj">119</s:key>
      </s:dict>
    </content>
  </entry>
</feed>
</div>


server/status GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot;>

<title></title>
 <id>https://localhost:8089/services/server/status</id>
 <updated>2014-03-25T13:52:59-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <s:messages/>
 <entry>
   <title>dispatch-artifacts</title>
   <id>https://localhost:8089/services/server/status/dispatch-artifacts</id>
   <updated>2014-03-25T13:52:59-07:00</updated>
   <link href="/services/server/status/dispatch-artifacts" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/dispatch-artifacts" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>fishbucket</title>
   <id>https://localhost:8089/services/server/status/fishbucket</id>
   <updated>2014-03-25T13:52:59-07:00</updated>
   <link href="/services/server/status/fishbucket" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/fishbucket" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>partitions-space</title>
   <id>https://localhost:8089/services/server/status/partitions-space</id>
   <updated>2014-03-25T13:52:59-07:00</updated>
   <link href="/services/server/status/partitions-space" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/partitions-space" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>

</feed>



server/status/dispatch-artifacts GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/dispatch-artifacts
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>introspection--disk-objects--search-dispatch-artifacts</title>
 <id>https://localhost:8089/services/server/status/dispatch-artifacts</id>
 <updated>2014-03-25T11:10:33-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>result</title>
   <id>https://localhost:8089/services/server/status/dispatch-artifacts/result</id>
   <updated>2014-03-25T11:10:33-07:00</updated>
   <link href="/services/server/status/dispatch-artifacts/result" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/dispatch-artifacts/result" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="count_realtime">0</s:key>
       <s:key name="count_scheduled">0</s:key>
       <s:key name="count_summary">0</s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="top_apps"/>
       <s:key name="top_named_searches"/>
       <s:key name="top_users"/>
       <s:key name="total_count">0</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



server/status/fishbucket GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/fishbucket
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>introspection--disk-objects--fishbucket</title>
 <id>https://localhost:8089/services/server/status/fishbucket</id>
 <updated>2014-03-25T11:31:10-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>result</title>
   <id>https://localhost:8089/services/server/status/fishbucket/result</id>
   <updated>2014-03-25T11:31:10-07:00</updated>
   <link href="/services/server/status/fishbucket/result" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/fishbucket/result" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="key_count">0</s:key>
       <s:key name="total_size">0.000</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



server/status/limits/search-concurrency GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/limits/search-concurrency
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>server-status-limits-concurrency</title>
 <id>https://localhost:8089/services/server/status/limits/search-concurrency</id>
 <updated>2014-03-25T11:40:16-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>search-concurrency</title>
   <id>https://localhost:8089/services/server/status/limits/search-concurrency/search-concurrency</id>
   <updated>2014-03-25T11:40:16-07:00</updated>
   <link href="/services/server/status/limits/search-concurrency/search-concurrency" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/limits/search-concurrency/search-concurrency" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="max_auto_summary_searches">2</s:key>
       <s:key name="max_hist_scheduled_searches">5</s:key>
       <s:key name="max_hist_searches">10</s:key>
       <s:key name="max_rt_scheduled_searches">5</s:key>
       <s:key name="max_rt_searches">10</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



server/status/partitions-space GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/partitions-space
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>introspection--disk-objects--partitions-space</title>
 <id>https://localhost:8089/services/server/status/partitions-space</id>
 <updated>2014-03-25T11:43:39-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>0</title>
   <id>https://localhost:8089/services/server/status/partitions-space/0</id>
   <updated>2014-03-25T11:43:39-07:00</updated>
   <link href="/services/server/status/partitions-space/0" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/partitions-space/0" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capacity">104901.000</s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="free">7774.000</s:key>
       <s:key name="fs_type">ntfs</s:key>
       <s:key name="mount_point">C:\</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



server/status/resource-usage GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/resource-usage
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot;>

<title></title>
 <id>https://localhost:8089/services/server/status/resource-usage</id>
 <updated>2014-03-25T11:53:26-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <s:messages/>
 <entry>
   <title>hostwide</title>
   <id>https://localhost:8089/services/server/status/resource-usage/hostwide</id>
   <updated>2014-03-25T11:53:26-07:00</updated>
   <link href="/services/server/status/resource-usage/hostwide" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/resource-usage/hostwide" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>splunk-processes</title>
   <id>https://localhost:8089/services/server/status/resource-usage/splunk-processes</id>
   <updated>2014-03-25T11:53:26-07:00</updated>
   <link href="/services/server/status/resource-usage/splunk-processes" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/resource-usage/splunk-processes" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>

</feed>



server/status/resource-usage/hostwide GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/resource-usage/hostwide
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>introspection--resource-usage--hostwide</title>
 <id>https://localhost:8089/services/server/status/resource-usage/hostwide</id>
 <updated>2014-03-25T11:45:29-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>result</title>
   <id>https://localhost:8089/services/server/status/resource-usage/hostwide/result</id>
   <updated>2014-03-25T11:45:29-07:00</updated>
   <link href="/services/server/status/resource-usage/hostwide/result" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/resource-usage/hostwide/result" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="cpu_idle_pct">90.95</s:key>
       <s:key name="cpu_system_pct">4.84</s:key>
       <s:key name="cpu_user_pct">4.21</s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="mem">3982.234</s:key>
       <s:key name="mem_used">3193.137</s:key>
       <s:key name="runnable_process_count">1</s:key>
       <s:key name="swap">7962.652</s:key>
       <s:key name="swap_used">3244.652</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



server/status/resource-usage/splunk-processes GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/resource-usage/splunk-processes/0
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>introspection--resource-usage--splunk-processes</title>
 <id>https://localhost:8089/services/server/status/resource-usage/splunk-processes</id>
 <updated>2014-03-26T13:35:52-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>0</title>
   <id>https://localhost:8089/services/server/status/resource-usage/splunk-processes/0</id>
   <updated>2014-03-26T13:35:52-07:00</updated>
   <link href="/services/server/status/resource-usage/splunk-processes/0" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/resource-usage/splunk-processes/0" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="args"> instrument-resource-usage</s:key>
       <s:key name="eai:acl">
           ... elided ...
       </s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="elapsed">619262.3610</s:key>
       <s:key name="mem_used">15.762</s:key>
       <s:key name="page_faults">12001684</s:key>
       <s:key name="pct_memory">0.40</s:key>
       <s:key name="pid">4256</s:key>
       <s:key name="ppid">2476</s:key>
       <s:key name="process">splunkd</s:key>
       <s:key name="t_count">4</s:key>
     </s:dict>
   </content>
 </entry>
</feed>

Knowledge endpoints

Knowledge endpoint descriptions

Knowledge type endpoints,

data/lookup-table-files


https://<host>:<mPort>/services/data/lookup-table-files

Authentication: Not required

Description

Provides access to lookup table files.

Method summary
Method Description Formats
GET List lookup table files. XML, JSON
POST Create a lookup table file by moving a file from the upload staging area into $SPLUNK_HOME. XML, JSON

GET data/lookup-table-files method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
eai:appName The app for which the lookup table applies.
eai:data The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName The Splunk Enterprise user who created the lookup table.

POST data/lookup-table-files method detail

Example

Request parameters
Name Type Default Description
eai:data
required
String Move a lookup table file from the given path into $SPLUNK_HOME. This path must have the lookup staging area as an ancestor.
name
required
String The lookup table filename.
Response data keys
Name Description
eai:appName The app for which the lookup table applies.
eai:data The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName The Splunk Enterprise user who created the lookup table.

[ Top ]



data/lookup-table-files/{name}


https://<host>:<mPort>/services/data/lookup-table-files/{name}

Authentication: Not required

Description

Manage the {name} lookup table file.

Method summary
Method Description Formats
DELETE Delete the named lookup table file. XML, JSON
GET List a single lookup table file. XML, JSON
POST Modify a lookup table file by replacing it with a file from the upload staging area. XML, JSON

DELETE data/lookup-table-files/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/lookup-table-files/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
eai:appName The app for which the lookup table applies.
eai:attributes Field control information.
eai:data The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName The Splunk Enterprise user who created the lookup table.

POST data/lookup-table-files/{name} method detail

Example

Request parameters
Name Type Default Description
eai:data
required
String Move a lookup table file from the given path into $SPLUNK_HOME. This path must have the lookup staging area as an ancestor.
Response data keys
Name Description
eai:appName The app for which the lookup table applies.
eai:data The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName The Splunk Enterprise user who created the lookup table.

[ Top ]



data/props/calcfields


https://<host>:<mPort>/services/data/props/calcfields

Authentication: Not required

Description

Provides access to calculated fields, which are eval expressions in props.conf.

Method summary
Method Description Formats
GET Returns information on calculated fields for this instance of Splunk. XML, JSON
POST Create an eval expression defining a calculated field in props.conf. XML, JSON

GET data/props/calcfields method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
attribute The name of the calculated field, which includes the "EVAL-" prefix.
field.name The name of the field which is being calculated with an EVAL expression.
stanza The name of the stanza in props.conf that defines the calculated field.
type The type of the calculated field.

This is always EVAL.

value The EVAL statement for the calculated field.
Application usage

See Define calculated fields in the Splunk Knowledge Manager manual for more information.


POST data/props/calcfields method detail

Example

Request parameters
Name Type Default Description
name
required
String The name of the calculated field. Do not specify the "EVAL-" prefix for the field.

When Splunk Enterprise writes the calculated field to props.conf, it adds the "EVAL-" prefix.

stanza
required
String The name of the stanza in props.conf for the calculated field.

The name can be any of the following:

  • Sourcetype of an event
  • host::<host>, where <host> is the host for an event
  • source::<source>, where <source> is the source for an event.
Note: Use URL-encoding to ensure that Splunk Enterprise interprets the name of the stanza correctly.
value
required
String The eval statement, which can be evaluated to any value type, including multivals, boolean, or null.
Note: Use URL-encoding to ensure that Splunk Enterprise interprets the name of the stanza correctly.

See Create a calculated field by editing props.conf in the Splunk Knowledge Manager manual for details.

Response data keys
Name Description
attribute The name of the calculated field, which includes the "EVAL-" prefix.
field.name The name of the field which is being calculated with an EVAL expression.
stanza The name of the stanza in props.conf that defines the calculated field.
type The type of the calculated field.

This is always EVAL.

value The EVAL statement for the calculated field.
Application usage

See Define calculated fields in the Splunk Knowledge Manager manual for more information.

[ Top ]



data/props/calcfields/{name}


https://<host>:<mPort>/services/data/props/calcfields/{name}

Authentication: Not required

Description

Manage the {name} calculated field.

Method summary
Method Description Formats
DELETE Deletes the named calculated field. XML, JSON
GET Returns details about the named calculated field. XML, JSON
POST Update the named calculated field. XML, JSON

DELETE data/props/calcfields/{name} method detail

Example

Request parameters

None

Response data keys

None

Application usage

Use URL-encoding to ensure that Splunk Enterprise interprets the name of the calculated field correctly.


GET data/props/calcfields/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
attribute The name of the calculated field, which includes the "EVAL-" prefix.
field.name The name of the field which is being calculated with an EVAL expression.
stanza The name of the stanza in props.conf that defines the calculated field.
type The type of the calculated field.

This is always EVAL.

value The EVAL statement for the calculated field.

POST data/props/calcfields/{name} method detail

Example

Request parameters
Name Type Default Description
value String The eval statement, which can be evaluated to any value type, including multivals, boolean, or null.
Note: Use URL-encoding to ensure that Splunk Enterprise interprets the name of the stanza correctly.

See Create a calculated field by editing props.conf in the Splunk Knowledge Manager manual for details.

Response data keys
Name Description
attribute The name of the calculated field, which includes the "EVAL-" prefix.
field.name The name of the field which is being calculated with an EVAL expression.
stanza The name of the stanza in props.conf that defines the calculated field.
type The type of the calculated field.

This is always EVAL.

value The EVAL statement for the calculated field.

[ Top ]



data/props/extractions


https://<host>:<mPort>/services/data/props/extractions

Authentication: Not required

Description

Provides access to search-time field extractions in props.conf.

Method summary
Method Description Formats
GET List field extractions. XML, JSON
POST Create a new field extraction. XML, JSON

GET data/props/extractions method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field extraction applies.

for example, the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix.

type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.


POST data/props/extractions method detail

Example

Request parameters
Name Type Default Description
name
required
String The user-specified part of the field extraction name. The full name of the field extraction includes this identifier as a suffix.
stanza
required
String The props.conf stanza to which this field extraction applies, e.g. the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix.
type
required
Enum Valid values: (REPORT | EXTRACT)

An EXTRACT-type field extraction is defined with an "inline" regular expression. A REPORT-type field extraction refers to a transforms.conf stanza.

value
required
String If this is an EXTRACT-type field extraction, specify a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, specify a comma- or space-delimited list of transforms.conf stanza names that define the field transformations to apply.
Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza Specifies the name of the stanza for the field extraction.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

[ Top ]



data/props/extractions/{name}


https://<host>:<mPort>/services/data/props/extractions/{name}

Authentication: Not required

Description

Manage the {name} field extraction.

Method summary
Method Description Formats
DELETE Delete the named field extraction. XML, JSON
GET List a single field extraction. XML, JSON
POST Modify the named field extraction. XML, JSON

DELETE data/props/extractions/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/props/extractions/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field extraction applies.

for example, the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix.

type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.


POST data/props/extractions/{name} method detail

Example

Request parameters
Name Type Default Description
value
required
String If this is an EXTRACT-type field extraction, specify a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, specify a comma- or space-delimited list of transforms.conf stanza names that define the field transformations to apply.
Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza Specifies the name of the stanza for the field extraction.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

[ Top ]



data/props/fieldaliases


https://<host>:<mPort>/services/data/props/fieldaliases

Authentication: Not required

Description

Provides access to field aliases in props.conf.

Method summary
Method Description Formats
GET List field aliases. XML, JSON
POST Create a new field alias. XML, JSON

GET data/props/fieldaliases method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
alias.* The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.


POST data/props/fieldaliases method detail

Example

Request parameters
Name Type Default Description
alias.* String The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar".
name
required
String The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
stanza
required
String The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
Response data keys
Name Description
alias.* The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

[ Top ]



data/props/fieldaliases/{name}


https://<host>:<mPort>/services/data/props/fieldaliases/{name}

Authentication: Not required

Description

Manage the {name} field alias.

Method summary
Method Description Formats
DELETE Delete the named field alias. XML, JSON
GET List a single field alias. XML, JSON
POST Modify the named field alias. XML, JSON

DELETE data/props/fieldaliases/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/props/fieldaliases/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
alias.* The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.


POST data/props/fieldaliases/{name} method detail

Example

Request parameters
Name Type Default Description
alias.* String The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar".
Response data keys
Name Description
alias.* The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar".
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

[ Top ]



data/props/lookups


https://<host>:<mPort>/services/data/props/lookups

Authentication: Not required

Description

Provides access to automatic lookups in props.conf.

Method summary
Method Description Formats
GET List automatic lookups. XML, JSON
POST Create a new automatic lookup. XML, JSON

GET data/props/lookups method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, LOOKUP-my_lookup.

overwrite If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

transform The transforms.conf stanza that defines the lookup to apply.
type Specifies the field extraction type.

For this endpoint, this is always LOOKUP

value The transform stanza with the value for the lookup.

POST data/props/lookups method detail

Example

Request parameters
Name Type Default Description
lookup.field.input.* String A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.* String A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
name
required
String The user-specified part of the automatic lookup name. The full name of the automatic lookup includes this identifier as a suffix.
overwrite
required
Boolean If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza
required
String The props.conf stanza to which this automatic lookup applies, e.g. the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.
transform
required
String The transforms.conf stanza that defines the lookup to apply.
Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, LOOKUP-my_lookup.

lookup.field.input.* A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.* A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
overwrite If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

transform The transforms.conf stanza that defines the lookup to apply.
type Specifies the field extraction type.

For this endpoint, this is alwqys LOOKUP.

value The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

[ Top ]



data/props/lookups/{name}


https://<host>:<mPort>/services/data/props/lookups/{name}

Authentication: Not required

Description

Manage the {name} automatic lookup.

Method summary
Method Description Formats
DELETE Delete the named automatic lookup. XML, JSON
GET List a single automatic lookup. XML, JSON
POST Modify the named automatic lookup. XML, JSON

DELETE data/props/lookups/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/props/lookups/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, LOOKUP-my_lookup.

overwrite If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

transform The transforms.conf stanza that defines the lookup to apply.
type Specifies the field extraction type.

For this endpoint, this is always LOOKUP.

value The transform stanza with the value for the lookup.

POST data/props/lookups/{name} method detail

Example

Request parameters
Name Type Default Description
lookup.field.input.* String A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.* String A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
overwrite
required
Boolean If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
transform
required
String The transforms.conf stanza that defines the lookup to apply.
Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, LOOKUP-my_lookup.

lookup.field.input.* A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.* A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
overwrite If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

transform The transforms.conf stanza that defines the lookup to apply.
type Specifies the field extraction type.

For this endpoint, this is alwqys LOOKUP.

value The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

[ Top ]



data/props/sourcetype-rename


https://<host>:<mPort>/services/data/props/sourcetype-rename

Authentication: Not required

Description

Provides access to renamed sourcetypes which are configured in props.conf.

Method summary
Method Description Formats
GET List renamed sourcetypes. XML, JSON
POST Rename a sourcetype. XML, JSON

GET data/props/sourcetype-rename method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
attribute The configuration key.
stanza The sourcetype to rename, which is the name of a stanza in props.conf.
type The value of the configuration key.
value The new name for the sourcetype.

POST data/props/sourcetype-rename method detail

Example

Request parameters
Name Type Default Description
name
required
String The original sourcetype name.
value
required
String The new sourcetype name.
Response data keys
Name Description
attribute The configuration key.
stanza The sourcetype to rename, which is the name of a stanza in props.conf.
type The value of the configuration key.
value The new name for the sourcetype.

[ Top ]



data/props/sourcetype-rename/{name}


https://<host>:<mPort>/services/data/props/sourcetype-rename/{name}

Authentication: Not required

Description

Manage {name} sourcetype renaming.

Method summary
Method Description Formats
DELETE Restore original sourcetype name. XML, JSON
GET List a single renamed sourcetype. XML, JSON
POST Rename a sourcetype again, i.e. modify a sourcetype's new name. XML, JSON

DELETE data/props/sourcetype-rename/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/props/sourcetype-rename/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
attribute The configuration key.
stanza The sourcetype to rename, which is the name of a stanza in props.conf.
type The value of the configuration key.
value The new name for the sourcetype.

POST data/props/sourcetype-rename/{name} method detail

Example

Request parameters
Name Type Default Description
value
required
String The new sourcetype name.
Response data keys
Name Description
attribute The configuration key.
stanza The sourcetype to rename, which is the name of a stanza in props.conf.
type The value of the configuration key.
value The new name for the sourcetype.

[ Top ]



data/transforms/extractions


https://<host>:<mPort>/services/data/transforms/extractions

Authentication: Not required

Description

Provides access to field transformations, i.e. field extraction definitions.

Method summary
Method Description Formats
GET List field transformations. XML, JSON
POST Create a new field transformation. XML, JSON

GET data/transforms/extractions method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if the field transformation is disabled.
eai:appName The Splunk Enterprise app for which the field extractions are defined. For example, the search app.
eai:userName The name of the Splunk Enterprise user who created the field extraction definitions. For example, the admin user.

POST data/transforms/extractions method detail

Example

Request parameters
Name Type Default Description
CAN_OPTIMIZE Bool True Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are *always* discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is needed for the successful evaluation of a search.

NOTE: This option should rarely be set to false.

CLEAN_KEYS Boolean True If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
disabled Boolean Specifies whether the field transformation is disabled.
FORMAT String This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

FORMAT for index-time extractions:

Use $n (for example $1, $2, etc) to specify the output of each REGEX match.

If REGEX does not have n groups, the matching fails.

The special identifier $0 represents what was in the DEST_KEY before the REGEX was performed.

At index-time only, you can use FORMAT to create concatenated fields: FORMAT = ipaddress::$1.$2.$3.$4

When you create concatenated fields with FORMAT, "$" is the only special character. It is treated as a prefix for regex-capturing groups only if it is followed by a number and only if the number applies to an existing capturing group. So if REGEX has only one capturing group and its value is "bar", then: \t"FORMAT = foo$1" yields "foobar" \t"FORMAT = foo$bar" yields "foo$bar" \t"FORMAT = foo$1234" yields "foo$1234" \t"FORMAT = foo$1\\$2" yields "foobar\\$2"

At index-time, FORMAT defaults to <stanza-name>::$1

FORMAT for search-time extractions:

The format of this field as used during search time extractions is as follows: \tFORMAT = <field-name>::<field-value>( <field-name>::<field-value>)* \tfield-name = [<string>|$<extracting-group-number>] \tfield-value = [<string>|$<extracting-group-number>]

Search-time extraction examples: \tFORMAT = first::$1 second::$2 third::other-value \tFORMAT = $1::$2

You cannot create concatenated fields with FORMAT at search time. That functionality is only available at index time.

At search-time, FORMAT defaults to an empty string.

KEEP_EMPTY_VALS Boolean False If set to true, Splunk Enterprise preserves extracted fields with empty values.
MV_ADD Boolean False If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
name
required
String The name of the field transformation.
REGEX
required
String Specify a regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: \tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \tREGEX is required for all index-time transforms.

REGEX and the FORMAT attribute:

Name-capturing groups in the REGEX are extracted directly to fields. This means that you do not need to specify the FORMAT attribute for simple field extraction cases.

If the REGEX extracts both the field name and its corresponding field value, you can use the following special capturing groups if you want to skip specifying the mapping in FORMAT: _KEY_<string>, _VAL_<string>.

For example, the following are equivalent: \tUsing FORMAT: \t\tREGEX = ([a-z]+)=([a-z]+) \t\tFORMAT = $1::$2 \tWithout using FORMAT \t\tREGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+)

REGEX defaults to an empty string.

SOURCE_KEY
required
String _raw Specify the KEY to which Splunk Enterprise applies REGEX.
Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: \\tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \\tREGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if the field transformation is disabled.
eai:appName The Splunk Enterprise app for which the field extractions are defined. For example, the search app.
eai:userName The name of the Splunk Enterprise user who created the field extraction definitions. For example, the admin user.

[ Top ]



data/transforms/extractions/{name}


https://<host>:<mPort>/services/data/transforms/extractions/{name}

Authentication: Not required

Description

Manage {name} field transformation.

Method summary
Method Description Formats
DELETE Delete the named field transformation. XML, JSON
GET List a single field transformation. XML, JSON
POST Modify the named field transformation. XML, JSON

DELETE data/transforms/extractions/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/transforms/extractions/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if the field transformation is disabled.
eai:appName The Splunk Enterprise app for which the field extractions are defined. For example, the search app.
eai:attributes Field control information.
eai:userName The name of the Splunk Enterprise user who created the field extraction definitions. For example, the admin user.

POST data/transforms/extractions/{name} method detail

Example

Request parameters
Name Type Default Description
REGEX String Specify a regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: \tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \tREGEX is required for all index-time transforms.

REGEX and the FORMAT attribute:

Name-capturing groups in the REGEX are extracted directly to fields. This means that you do not need to specify the FORMAT attribute for simple field extraction cases.

If the REGEX extracts both the field name and its corresponding field value, you can use the following special capturing groups if you want to skip specifying the mapping in FORMAT: _KEY_<string>, _VAL_<string>.

For example, the following are equivalent: \tUsing FORMAT: \t\tREGEX = ([a-z]+)=([a-z]+) \t\tFORMAT = $1::$2 \tWithout using FORMAT \t\tREGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+)

REGEX defaults to an empty string.

SOURCE_KEY String _raw Specify the KEY to which Splunk Enterprise applies REGEX.
CAN_OPTIMIZE Bool True Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are *always* discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is needed for the successful evaluation of a search.

NOTE: This option should rarely be set to false.

CLEAN_KEYS Boolean True If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
FORMAT String This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

FORMAT for index-time extractions:

Use $n (for example $1, $2, etc) to specify the output of each REGEX match.

If REGEX does not have n groups, the matching fails.

The special identifier $0 represents what was in the DEST_KEY before the REGEX was performed.

At index-time only, you can use FORMAT to create concatenated fields: FORMAT = ipaddress::$1.$2.$3.$4

When you create concatenated fields with FORMAT, "$" is the only special character. It is treated as a prefix for regex-capturing groups only if it is followed by a number and only if the number applies to an existing capturing group. So if REGEX has only one capturing group and its value is "bar", then: \t"FORMAT = foo$1" yields "foobar" \t"FORMAT = foo$bar" yields "foo$bar" \t"FORMAT = foo$1234" yields "foo$1234" \t"FORMAT = foo$1\\$2" yields "foobar\\$2"

At index-time, FORMAT defaults to <stanza-name>::$1

FORMAT for search-time extractions:

The format of this field as used during search time extractions is as follows: \tFORMAT = <field-name>::<field-value>( <field-name>::<field-value>)* \tfield-name = [<string>|$<extracting-group-number>] \tfield-value = [<string>|$<extracting-group-number>]

Search-time extraction examples: \tFORMAT = first::$1 second::$2 third::other-value \tFORMAT = $1::$2

You cannot create concatenated fields with FORMAT at search time. That functionality is only available at index time.

At search-time, FORMAT defaults to an empty string.

KEEP_EMPTY_VALS Boolean False If set to true, Splunk Enterprise preserves extracted fields with empty values.
MV_ADD Boolean False If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
disabled Boolean Specifies whether the field transformation is disabled.
Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: \\tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \\tREGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if the field transformation is disabled.
eai:appName The Splunk Enterprise app for which the field extractions are defined. For example, the search app.
eai:userName The name of the Splunk Enterprise user who created the field extraction definitions. For example, the admin user.

|}

[ Top ]



data/transforms/lookups


https://<host>:<mPort>/services/data/transforms/lookups

Authentication: Not required

Description

Provides access to lookup definitions in transforms.conf.

Method summary
Method Description Formats
GET List lookup definitions. XML, JSON
POST Create a new lookup definition. XML, JSON

GET data/transforms/lookups method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if this lookup is disabled.
eai:appName The Splunk Enterprise app for which the lookups are defined. For example, the search app.
eai:userName The Splunk Enterprise user for which the lookups are defined.
external_cmd Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list List of all fields that are supported by the external command.
type Specifies the field extraction type.

Can be either external or file.


POST data/transforms/lookups method detail

Example

Request parameters
Name Type Default Description
name String The name of the lookup definition.
default_match String If min_matches is greater than zero and Splunk Enterprise has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled Boolean Specifies whether the lookup definition is disabled.
external_cmd String Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list String A comma- and space-delimited list of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename String The name of the static lookup table file.
max_matches Number The maximum number of possible matches for each input lookup value.
max_offset_secs Number For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches Number The minimum number of possible matches for each input lookup value.
min_offset_secs Number For temporal lookups, this is the minimum time (in seconds) that the event timestamp can be later than the lookup entry timestamp for a match to occur.
time_field String For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format String For temporal lookups, this specifies the "strptime" format of the timestamp field.
Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

default_match If min_matches is greater than zero and Splunk Enterprise has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled Specifies whether the lookup definition is disabled.
eai:appName The Splunk Enterprise app for which the lookups are defined. For example, the search app.
eai:userName The Splunk Enterprise user for which the lookups are defined.
external_cmd Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list List of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename The name of the static lookup table file.
max_matches The maximum number of possible matches for each input lookup value.

If the lookup is non-temporal (not time-bounded, meaning the time_field attribute is not specified), Splunk Enterprise uses the first <integer> entries, in file order.

If the lookup is temporal, Splunk Enterprise uses the first <integer> entries in descending time order.

Default = 100 if the lookup is not temporal, default = 1 if it is temporal.

max_offset_secs For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches The minimum number of possible matches for each input lookup value.
min_offset_secs For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
time_field For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format For temporal lookups, this specifies the \\"strptime\\" format of the timestamp field.
type Specifies the field extraction type.

Can be either external or file.

[ Top ]



data/transforms/lookups/{name}


https://<host>:<mPort>/services/data/transforms/lookups/{name}

Authentication: Not required

Description

Manage the {name} lookup definition.

Method summary
Method Description Formats
DELETE Delete the named lookup definition. XML, JSON
GET List a single lookup definition. XML, JSON
POST Modify the named lookup definition. XML, JSON

DELETE data/transforms/lookups/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/transforms/lookups/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
CAN_OPTIMIZE Indicates whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS Indicates whether Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.

KEEP_EMPTY_VALS Indicates whether Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD For index-time filed extractions. Specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD "If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if this lookup is disabled.
eai:appName The Splunk Enterprise app for which the lookups are defined. For example, the search app.
eai:attributes Field control information.
eai:userName The Splunk Enterprise user for which the lookups are defined.
filename The name of the static lookup table file.
type Specifies the field extraction type.

Can be either external or file.


POST data/transforms/lookups/{name} method detail

Example

Request parameters
Name Type Default Description
default_match String If min_matches is greater than zero and Splunk Enterprise has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled Boolean Specifies whether the lookup definition is disabled.
external_cmd String Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list String A comma- and space-delimited list of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename String The name of the static lookup table file.
max_matches Number The maximum number of possible matches for each input lookup value.
max_offset_secs Number For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches Number The minimum number of possible matches for each input lookup value.
min_offset_secs Number For temporal lookups, this is the minimum time (in seconds) that the event timestamp can be later than the lookup entry timestamp for a match to occur.
time_field String For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format String For temporal lookups, this specifies the "strptime" format of the timestamp field.
Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

default_match If min_matches is greater than zero and Splunk Enterprise has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled Specifies whether the lookup definition is disabled.
eai:appName The Splunk Enterprise app for which the lookups are defined. For example, the search app.
eai:userName The Splunk Enterprise user for which the lookups are defined.
external_cmd Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list List of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename The name of the static lookup table file.
max_matches The maximum number of possible matches for each input lookup value.
max_offset_secs For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches The minimum number of possible matches for each input lookup value.
min_offset_secs For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
time_field For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format For temporal lookups, this specifies the "strptime" format of the timestamp field.
type Specifies the field extraction type.

Can be either external or file.

[ Top ]



datamodel/acceleration (DEPRECATED)


https://<host>:<mPort>/services/datamodel/acceleration

Authentication: Not required

Description

Access information about data models that have acceleration enabled.

Method summary
Method Description Formats
GET List information about data models that have acceleration enabled. XML, JSON

GET datamodel/acceleration method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys

None

Application usage

Refer to Manage data models for more implementation information about data models and acceleration.

[ Top ]



datamodel/acceleration/{name} (DEPRECATED)


https://<host>:<mPort>/services/datamodel/acceleration/{name}

Authentication: Not required

Description

Get information about the {name} datamodel.

Method summary
Method Description Formats
GET List information about the named data model, which has acceleration enabled. XML, JSON

GET datamodel/acceleration/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
acceleration Indicates if acceleration is enabled for this data model.
acceleration.earliest_time The earliest time to dispatch the search.
search Specifies the search to accelerate this data model.

[ Top ]



datamodel/model


https://<host>:<mPort>/services/datamodel/model

Authentication: Not required

Description

Access information about data models.

Method summary
Method Description Formats
GET List data models on the server. XML, JSON
POST Create a new data model. XML, JSON

GET datamodel/model method detail

Example

Request parameters
Name Type Default Description
concise Boolean Indicates whether to list a concise JSON description of the data model.

The concise description is a summary for human readability. It is not used to create the data model.

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
acceleration Indicates whether acceleration is enabled for the data model.
concise Indicates whether to list a concise JSON description of the data model.
description The JSON describing the data model.
displayName The name displayed for the data model in Splunk Web.
eai:appName The Splunk Enterprise app in which the data model was created.
eai:userName The name of the Splunk Enterprise user who created the data model.
Application usage

For more implementation information on data models refer to About data models in the Knowledge Manager manual.


POST datamodel/model method detail

Example

Request parameters
Name Type Default Description
description String JSON description of the data model.
name String Name of the data model.
acceleration String Specify the acceleration settings for the data model. Supply JSON to specify any or all of the following settings:
enabled (true or false)
earliest_time (time modifier)
cron_schedule (cron string)

For example:

acceleration='{"enabled": true, "acceleration.earliest_time": -1mon, "acceleration.cron_schedule": 0 */12 * * *}'

concise Boolean Indicates whether to return a concise JSON description of the data model after creating the data model.

The concise description is a summary for human readability. It is not used to create the data model.

Response data keys

None

Application usage

For more implementation information on data models refer to About data models in the Knowledge Manager manual.

[ Top ]



datamodel/model/{name}


https://<host>:<mPort>/services/datamodel/model/{name}

Authentication: Not required

Description

Manage the {name} datamodel resource.

Method summary
Method Description Formats
DELETE Deletes a data model resource. XML, JSON
GET List information about a data model resource. XML, JSON
POST Update a data model resource. XML, JSON

DELETE datamodel/model/{name} method detail

Example

Request parameters

None

Response data keys

None


GET datamodel/model/{name} method detail

Example

Request parameters
Name Type Default Description
concise Boolean Indicates whether to list a concise JSON description of the data model.

The concise description is a summary for human readability. It is not used to create the data model.

Response data keys
Name Description
acceleration Indicates whether acceleration is enabled for the data model.
concise Indicates whether to list a concise JSON description of the data model.
description The JSON describing the data model.
displayName The name displayed for the data model in Splunk Web.
eai:appName The Splunk Enterprise app in which the data model was created.
eai:attributes Field control information.
eai:userName The name of the Splunk Enterprise user who created the data model.

POST datamodel/model/{name} method detail

Example

Request parameters
Name Type Default Description
acceleration String Specify the acceleration settings for the data model. Supply JSON to specify any or all of the following settings:
enabled (true or false)
earliest_time (time modifier)
cron_schedule (cron string)

For example:

acceleration='{"enabled": true, "acceleration.earliest_time": -1mon, "acceleration.cron_schedule": 0 */12 * * *}'

concise Boolean Indicates whether to return a concise JSON description of the data model after creating the data model.

The concise description is a summary for human readability. It is not used to create the data model.

description String JSON description of the data model.
provisional Boolean Indicates whether the data model is provisional. Provisional data models are not saved.

Specify true to validate a data model before saving it.

If the endpoint returns with no errors, then specify this endpoint again, with provisional set to false, to save the data model.

Response data keys
Name Description
acceleration Indicates whether acceleration is enabled for the data model.
concise Indicates whether to list a concise JSON description of the data model.
description The JSON describing the data model.
displayName The name displayed for the data model in Splunk Web.
eai:appName The Splunk Enterprise app in which the data model was created.
eai:attributes Field control information.
eai:userName The name of the Splunk Enterprise user who created the data model.

[ Top ]



datamodel/pivot


https://<host>:<mPort>/services/datamodel/pivot

Authentication: Not required

Description

Provides access to pivots that are based on named data models.

Method summary
Method Description Formats
GET List information about the supplied pivot based on the named data model. XML, JSON

GET datamodel/pivot method detail

Example

Request parameters
Name Type Default Description
pivot_json String JSON specifying a pivot based on the named data model.

Typically, you URL encode this parameter.

This endpoint requires either this pivot_json parameter or a pivot_search parameter.

pivot_search String A pivot search command based on the named data model.

Typically, you URL encode this parameter.

This endpoint requires either a pivot_json or this pivot_search parameter.

Response data keys
Name Description
drilldown_search The search for running this pivot report using drilldown
open_in_search Equivalent to search parameter, but listed more simply.
pivot_json JSON specifying a pivot based on the named data model.
pivot_search A pivot search command based on the named data model.
search The search string for running the pivot report
tstats_search The search for running this pivot report using tstats
Application usage

For information on pivot implementation refer to the Splunk Pivot manual.

{name} refers to a data model on the system.

Specify a pivot using either the pivot_search or pivot_json parameter.

[ Top ]



directory


https://<host>:<mPort>/services/directory

Authentication: Not required

Description

Provides access to user configurable objects.

These objects includes search commands, UI views, UI navigation, saved searches and event types. This is useful to see which objects are provided by all apps, or a specific app when the call is namespaced. The specific configuration in restmap.conf is showInDirSvc.

Method summary
Method Description Formats
GET Provides an enumeration of app-scoped objects. XML, JSON

GET directory method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys

None

Application usage

an enumeration of the following app scoped objects:

  event types
   saved searches
   time configurations
   views
   navs
   manager XML
   quickstart XML
   search commands
   macros
   tags
   field extractions
   lookups
   workflow actions
   field aliases
   sourcetype renames

This is useful to see which apps provide which objects, or all the objects provided by a specific app. To change the visibility of an object type in this listing, use the showInDirSvc in restmap.conf.

[ Top ]



directory/{name}


https://<host>:<mPort>/services/directory/{name}

Authentication: Not required

Description

Get information about the {name} directory entity.

Method summary
Method Description Formats
GET Displays information about a single entity in the directory service enumeration. XML, JSON

GET directory/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
eai:type Entity type.
Application usage

This is rarely used. Typically after using the directory service enumeration, a client follows the specific link for an object in an enumeration.

[ Top ]



saved/eventtypes


https://<host>:<mPort>/services/saved/eventtypes

Authentication: Not required

Description

Provides access to saved event types.

Method summary
Method Description Formats
GET Retrieve saved event types. XML, JSON
POST Creates a new event type. XML, JSON

GET saved/eventtypes method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
description Description of this event type.
disabled Indicates if the event type is disabled.
eai:appName The Splunk Enterprise app for which this event type applies. For example, the Splunk search app.
eai:userName Splunk Enterprise user name of the creator of this event type. For example, the Splunk admin user.
priority The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search Search terms for this event type.
tags [Deprecated] Tags associated with this event type.

Use the tags.conf.spec file to assign tags to groups of events with related field values.


POST saved/eventtypes method detail

Example

Request parameters
Name Type Default Description
name String The name for the event type.
search String Search terms for this event type.
description String Human-readable description of this event type.
disabled Boolean 0 If True, disables the event type.
priority Number 1 Specify an integer from 1 to 10 for the value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
tags String [Deprecated] Use tags.conf.spec file to assign tags to groups of events with related field values.
Response data keys
Name Description
description Description of this event type.
disabled Indicates if this event type is disabled.
eai:appName The Splunk Enterprise app for which this event type applies. For example, the Splunk search app.
eai:userName Splunk Enterprise user name of the creator of this event type. For example, the Splunk admin user.
priority The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search Search terms for this event type.
tags [Deprecated] Tags associated with this event type.

Use tags.conf.spec file to assign tags to groups of events with related field values.

[ Top ]



saved/eventtypes/{name}


https://<host>:<mPort>/services/saved/eventtypes/{name}

Authentication: Not required

Description

Manage the {name} event type.

Method summary
Method Description Formats
DELETE Deletes this event type. XML, JSON
GET Returns information on this event type. XML, JSON
POST Updates this event type. XML, JSON

DELETE saved/eventtypes/{name} method detail

Example

Request parameters

None

Response data keys

None


GET saved/eventtypes/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
description Description of this event type.
disabled Indicates if the event type is disabled.
eai:appName The Splunk Enterprise app for which this event type applies. For example, the Splunk search app.
eai:attributes Field control information.
eai:userName Splunk Enterprise user name of the creator of this event type. For example, the Splunk admin user.
priority The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search Search terms for this event type.
tags [Deprecated] Tags associated with this event type.

Use the tags.conf.spec file to assign tags to groups of events with related field values.


POST saved/eventtypes/{name} method detail

Example

Request parameters
Name Type Default Description
search String Search terms for this event type.
description String Human-readable description of this event type.
disabled Boolean 0 If True, disables the event type.
priority Number 1 Specify an integer from 1 to 10 for the value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
tags String [Deprecated] Use tags.conf.spec file to assign tags to groups of events with related field values.
Response data keys
Name Description
description Description of this event type.
disabled Indicates if this event type is disabled.
eai:appName The Splunk Enterprise app for which this event type applies. For example, the Splunk search app.
eai:userName Splunk Enterprise user name of the creator of this event type. For example, the Splunk admin user.
priority The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search Search terms for this event type.
tags [Deprecated] Tags associated with this event type.

Use tags.conf.spec file to assign tags to groups of events with related field values.

Application usage

the search must be re-specified for this edit.

URI-encode the search string if it contains any of the following characters: =, &, ?, %

Otherwise, these characters can be interpreted as part of the HTTP request.

[ Top ]



search/fields


https://<host>:<mPort>/services/search/fields

Authentication: Not required

Description

Provides management for search field configurations.

Field configuration is specified in $SPLUNK_HOME/etc/system/default/fields.conf, with overriden values in $SPLUNK_HOME/etc/system/local/fields.conf.

Method summary
Method Description Formats
GET Returns a list of fields registered for field configuration. XML, JSON

GET search/fields method detail

Example

Request parameters

None

Response data keys

None

[ Top ]



search/fields/{field_name}


https://<host>:<mPort>/services/search/fields/{field_name}

Authentication: Not required

Description

Get information about the {field_name} field.

Method summary
Method Description Formats
GET Retrieves information about the named field. XML, JSON

GET search/fields/{field_name} method detail

Example

Request parameters

None

Response data keys

None

[ Top ]



search/fields/{field_name}/tags


https://<host>:<mPort>/services/search/fields/{field_name}/tags

Authentication: Not required

Description

Manage the tags associated with the {field_name} field.

Method summary
Method Description Formats
GET Returns a list of tags associated with the field specified by {field_name}. XML, JSON
POST Update the tags associated with the field specified by {field_name}. XML, JSON

GET search/fields/{field_name}/tags method detail

Example

Request parameters

None

Response data keys

None


POST search/fields/{field_name}/tags method detail

Example

Request parameters
Name Type Default Description
value String The specific field value on which to bind the tags.
add String The tag to attach to this field_name:value combination.
delete String The tag to remove to this field_name::value combination.
Response data keys

None

Application usage

The value parameter specifies the specific value on which to bind tag actions. Multiple tags can be attached by passing multiple add or delete form parameters. The server processes all of the adds first, and then processes the deletes.

You must specify at least one add or delete parameter.

[ Top ]



search/tags


https://<host>:<mPort>/services/search/tags

Authentication: Not required

Description

Provides management of search time tags.

Method summary
Method Description Formats
GET Returns a list of all search time tags. XML, JSON

GET search/tags method detail

Example

Request parameters

None

Response data keys

None

[ Top ]



search/tags/{tag_name}


https://<host>:<mPort>/services/search/tags/{tag_name}

Authentication: Not required

Description

Manage {tag_name} values.

Method summary
Method Description Formats
DELETE Deletes the tag, and its associated field:value pair assignments. XML, JSON
GET Returns a list of field:value pairs associated with the tag specified by {tag_name}. XML, JSON
POST Updates the field:value pairs associated with {tag_name}. XML, JSON

DELETE search/tags/{tag_name} method detail

Example

Request parameters

None

Response data keys

None

Application usage

The resulting change in tags.conf is to set all field:value pairs to disabled.


GET search/tags/{tag_name} method detail

Example

Request parameters

None

Response data keys

None


POST search/tags/{tag_name} method detail

Example

Request parameters
Name Type Default Description
add String A field:value pair to tag with {tag_name}.
delete String A field:value pair to remove from {tag_name}.
Response data keys

None

Application usage

Multiple field:value pairs can be attached by passing multiple add or delete form parameters. The server processes all of the adds first, and then deletes.

If {tag_name} does not exist, then the tag is created inline. Notification is sent to the client using the HTTP 201 status.

[ Top ]

services/admin/summarization


https://<host>:<mPort>/services/admin/summarization/?by_tstats=1
Description

Review data model acceleration information.

Authentication: Required. Authorization to access data model acceleration information is role-based.

Method Description Formats
GET Returns a list of field:value pairs giving current data model acceleration information. XML, JSON

Example


[ Top ]

Knowledge endpoint examples

data/lookup-table-files GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T19:26:11-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>lookup.csv</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
    <updated>2011-07-21T19:26:11-07:00</updated>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl nodes elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]>        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/lookup-table-files POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/lookup-in-staging-dir.csv -d name=lookup.csv
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T18:26:35-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>lookup.csv</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
    <updated>2011-07-21T18:26:35-07:00</updated>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]>        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/lookup-table-files/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T18:43:11-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/lookup-table-files/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T18:37:25-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>lookup.csv</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
    <updated>2011-07-21T18:37:25-07:00</updated>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>eai:data</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]>        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/lookup-table-files/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/another-lookup-in-staging-dir.csv
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T18:41:52-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>lookup.csv</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
    <updated>2011-07-21T18:41:52-07:00</updated>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]>        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/calcfields GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T15:01:50-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title><access_common> : EVAL-response_time</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
    <updated>2012-10-01T15:01:50-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EVAL-response_time</s:key>
        ... eai:acl node elided ...
        <s:key name="field.name">response_time</s:key>
        <s:key name="stanza"><access_common></s:key>
        <s:key name="type">EVAL</s:key>
        <s:key name="value">response_time/1000</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/calcfields POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields -d name=response_time -d stanza=%3Caccess_common%3E -d value=response_time/1000
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T14:58:45-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title><access_common> : EVAL-response_time</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
    <updated>2012-10-01T14:58:45-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EVAL-response_time</s:key>
        ... eai:acl node elided ...
        <s:key name="field.name">response_time</s:key>
        <s:key name="stanza"><access_common></s:key>
        <s:key name="type">EVAL</s:key>
        <s:key name="value">response_time/1000</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/calcfields/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T15:33:06-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

data/props/calcfields/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T15:05:09-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  ... opensearch nodes elided ...
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title><access_common> : EVAL-response_time</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
    <updated>2012-10-01T15:05:09-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EVAL-response_time</s:key>
        ... eai:acl node elided ...
        ... eai:attributes node elided ...
        <s:key name="field.name">response_time</s:key>
        <s:key name="stanza"><access_common></s:key>
        <s:key name="type">EVAL</s:key>
        <s:key name="value">response_time/1000</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/calcfields/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time -d value=response_time/100
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T15:14:19-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title><access_common> : EVAL-response_time</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
    <updated>2012-10-01T15:14:19-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EVAL-response_time</s:key>
        ... eai:acl node elided ...
        <s:key name="field.name">response_time</s:key>
        <s:key name="stanza"><access_common></s:key>
        <s:key name="type">EVAL</s:key>
        <s:key name="value">response_time/100</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/extractions GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T22:55:04-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>access_combined : REPORT-access</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access</id>
    <updated>2011-07-10T22:55:04-07:00</updated>
    <link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="list"/>
    <link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">REPORT-access</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">access_combined</s:key>
        <s:key name="type">Uses transform</s:key>
        <s:key name="value">access-extractions</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/extractions POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=port -d stanza=ftp_log -d type=EXTRACT -d "value=port (?<port_number>\d+)"
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T22:56:17-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>ftp_log : EXTRACT-port</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
    <updated>2011-07-10T22:56:17-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EXTRACT-port</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">ftp_log</s:key>
        <s:key name="type">Inline</s:key>
        <s:key name="value">port (?<port_number>\d )</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/extractions/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T23:05:42-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/props/extractions/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T23:02:31-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>ftp_log : EXTRACT-port</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
    <updated>2011-07-10T23:02:31-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EXTRACT-port</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>value</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="stanza">ftp_log</s:key>
        <s:key name="type">Inline</s:key>
        <s:key name="value">connection on port (?<port_number>\d )</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/extractions/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port -d "value=connection on port (?<port_number>\d+)"
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T23:05:05-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>ftp_log : EXTRACT-port</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
    <updated>2011-07-10T23:05:05-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EXTRACT-port</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">ftp_log</s:key>
        <s:key name="type">Inline</s:key>
        <s:key name="value">connection on port (?<port_number>\d )</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/fieldaliases GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:31:41-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : FIELDALIAS-alias_name</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
    <updated>2011-07-21T19:31:41-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="alias.foo">bar</s:key>
        <s:key name="attribute">FIELDALIAS-alias_name</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="type">FIELDALIAS</s:key>
        <s:key name="value">foo AS bar</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/fieldaliases POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases -d name=alias_name -d stanza=my_sourcetype -d alias.foo=bar
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:30:17-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : FIELDALIAS-alias_name</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
    <updated>2011-07-21T19:30:17-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="alias.foo">bar</s:key>
        <s:key name="attribute">FIELDALIAS-alias_name</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="type">FIELDALIAS</s:key>
        <s:key name="value">foo AS bar</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/fieldaliases/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:37:45-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/props/fieldaliases/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:33:00-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : FIELDALIAS-alias_name</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
    <updated>2011-07-21T19:33:00-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="alias.foo">bar</s:key>
        <s:key name="attribute">FIELDALIAS-alias_name</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>alias\..*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="type">FIELDALIAS</s:key>
        <s:key name="value">foo AS bar</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/fieldaliases/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name -d alias.hi=hello -d alias.bye=goodbye
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:34:36-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : FIELDALIAS-alias_name</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
    <updated>2011-07-21T19:34:36-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="alias.bye">goodbye</s:key>
        <s:key name="alias.hi">hello</s:key>
        <s:key name="attribute">FIELDALIAS-alias_name</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="type">FIELDALIAS</s:key>
        <s:key name="value">bye AS goodbye hi AS hello</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/lookups GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups
XML Response

 <feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:43:53-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : LOOKUP-my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
    <updated>2011-08-01T20:43:53-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">LOOKUP-my_lookup</s:key>
        ... eai:acl node elided ...
        <s:key name="lookup.field.input.foo"/>
        <s:key name="lookup.field.output.fuzz"/>
        <s:key name="overwrite">1</s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="transform">my_transform</s:key>
        <s:key name="type">LOOKUP</s:key>
        <s:key name="value">my_transform foo OUTPUT fuzz</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/lookups POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups -d name=my_lookup -d overwrite=1 -d stanza=my_sourcetype -d transform=my_transform -d lookup.field.input.foo= -d lookup.field.output.fuzz=
    
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:43:31-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : LOOKUP-my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
    <updated>2011-08-01T20:43:31-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">LOOKUP-my_lookup</s:key>
        ... eai:acl node elided ...
        <s:key name="lookup.field.input.foo"/>
        <s:key name="lookup.field.output.fuzz"/>
        <s:key name="overwrite">1</s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="transform">my_transform</s:key>
        <s:key name="type">LOOKUP</s:key>
        <s:key name="value">my_transform foo OUTPUT fuzz</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/lookups/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:44:32-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/props/lookups/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:44:06-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : LOOKUP-my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
    <updated>2011-08-01T20:44:06-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">LOOKUP-my_lookup</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>overwrite</s:item>
                <s:item>transform</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>lookup\.field\.input\..*</s:item>
                <s:item>lookup\.field\.output\..*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="lookup.field.input.foo"/>
        <s:key name="lookup.field.output.fuzz"/>
        <s:key name="overwrite">1</s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="transform">my_transform</s:key>
        <s:key name="type">LOOKUP</s:key>
        <s:key name="value">my_transform foo OUTPUT fuzz</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/lookups/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup -d overwrite=1 -d transform=other_transform -d lookup.field.input.bar= -d lookup.field.output.buzz=
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:44:21-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : LOOKUP-my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
    <updated>2011-08-01T20:44:21-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">LOOKUP-my_lookup</s:key>
        ... eai:acl node elided ...
        <s:key name="lookup.field.input.bar"/>
        <s:key name="lookup.field.output.buzz"/>
        <s:key name="overwrite">1</s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="transform">other_transform</s:key>
        <s:key name="type">LOOKUP</s:key>
        <s:key name="value">other_transform bar OUTPUT buzz</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/sourcetype-rename GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:40:53-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>hardware</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
    <updated>2011-07-12T15:40:53-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">rename</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">hardware</s:key>
        <s:key name="type">rename</s:key>
        <s:key name="value">hw</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/sourcetype-rename POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename -d name=hardware -d value=hw
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:39:57-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>hardware</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
    <updated>2011-07-12T15:39:57-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">rename</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">hardware</s:key>
        <s:key name="type">rename</s:key>
        <s:key name="value">hw</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/sourcetype-rename/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:49:16-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/props/sourcetype-rename/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:44:47-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>hardware</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
    <updated>2011-07-12T15:44:47-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">rename</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>value</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="stanza">hardware</s:key>
        <s:key name="type">rename</s:key>
        <s:key name="value">hw</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/sourcetype-rename/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware -d value=hrdwr
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:46:58-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>hardware</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
    <updated>2011-07-12T15:46:58-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">rename</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">hardware</s:key>
        <s:key name="type">rename</s:key>
        <s:key name="value">hrdwr</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/extractions GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:28:03-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>access-extractions</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/transforms/extractions/access-extractions</id>
    <updated>2011-07-21T20:28:03-07:00</updated>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="list"/>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX">
<![CDATA[^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]]]>        </s:key>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/extractions POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions -d REGEX="(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)" -d SOURCE_KEY=_raw -d name=my_transform
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:25:20-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_transform</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
    <updated>2011-07-21T20:25:20-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/extractions/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:34:30-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/transforms/extractions/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:29:00-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_transform</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
    <updated>2011-07-21T20:29:00-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>CAN_OPTIMIZE</s:item>
                <s:item>CLEAN_KEYS</s:item>
                <s:item>FORMAT</s:item>
                <s:item>KEEP_EMPTY_VALS</s:item>
                <s:item>MV_ADD</s:item>
                <s:item>disabled</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>REGEX</s:item>
                <s:item>SOURCE_KEY</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/extractions/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform -d REGEX="(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)" -d SOURCE_KEY=_raw -d CLEAN_KEYS=false
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:33:13-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_transform</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
    <updated>2011-07-21T20:33:13-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">0</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/lookups GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-08-01T21:10:44-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>dnslookup</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/transforms/lookups/dnslookup</id>
    <updated>2011-08-01T21:10:44-07:00</updated>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="list"/>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX"/>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="external_cmd">external_lookup.py clienthost clientip</s:key>
        <s:key name="fields_list">clienthost clientip</s:key>
        <s:key name="type">external</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/lookups POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups -d name=my_lookup -d filename=lookup.csv
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-08-01T21:10:33-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
    <updated>2011-08-01T21:10:33-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX"/>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="filename">lookup.csv</s:key>
        <s:key name="type">file</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/lookups/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-07-21T20:03:24-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/transforms/lookups/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-08-01T21:11:01-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
    <updated>2011-08-01T21:11:01-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX"/>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>default_match</s:item>
                <s:item>disabled</s:item>
                <s:item>external_cmd</s:item>
                <s:item>fields_list</s:item>
                <s:item>filename</s:item>
                <s:item>max_matches</s:item>
                <s:item>max_offset_secs</s:item>
                <s:item>min_matches</s:item>
                <s:item>min_offset_secs</s:item>
                <s:item>time_field</s:item>
                <s:item>time_format</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="filename">lookup.csv</s:key>
        <s:key name="type">file</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/lookups/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup -d external_cmd=myscript.py -d fields_list=a,b,c
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-07-21T20:00:07-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
    <updated>2011-07-21T20:00:07-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX"/>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="external_cmd">myscript.py</s:key>
        <s:key name="fields_list">a,b,c</s:key>
        <s:key name="type">external</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

datamodel/acceleration GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/datamodel/acceleration
XML Response

feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://myserver-centos62x64-4:8789/services/datamodel/acceleration</id>
  <updated>2013-08-24T12:45:20-07:00</updated>
  <generator build="178272" version="6.0"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>simpleMyAppModel</title>
    <id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel</id>
    <updated>2013-08-24T12:45:20-07:00</updated>
    <link href="/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="acceleration">1</s:key>
        <s:key name="acceleration.earliest_time">-1mon</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:digest">9a9dba7c96b3f81554e3773b8d8fe45e</s:key>
        <s:key name="eai:type">datamodels</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="search"><![CDATA[uri=*  status=*  clientip=*  referer=*  useragent=*  (sourcetype=access_*)  (status < 600)  |
        . . . elided . . .
        "HTTP_Request.HTTP_Success.is_not_Pageview", "HTTP_Request.HTTP_Success.Pageview.myevalfield2"]]>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

datamodel/acceleration/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/datamodel/acceleration/simpleMyAppModel
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://myserver-centos62x64-4:8789/services/datamodel/acceleration</id>
  <updated>2013-08-24T12:55:07-07:00</updated>
  <generator build="178272" version="6.0"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>simpleMyAppModel</title>
    <id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel</id>
    <updated>2013-08-24T12:55:07-07:00</updated>
    <link href="/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="acceleration">1</s:key>
        <s:key name="acceleration.earliest_time">-1mon</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:digest">9a9dba7c96b3f81554e3773b8d8fe45e</s:key>
        <s:key name="eai:type">datamodels</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="search"><![CDATA[uri=*  status=*  clientip=*  referer=*  useragent=*  (sourcetype=access_*)  (status < 600)  |
        . . . elided . . .
        "HTTP_Request.HTTP_Success.is_not_Pageview", "HTTP_Request.HTTP_Success.Pageview.myevalfield2"]]>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

datamodel/model GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/datamodel/model
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
  <updated>2013-08-15T11:42:06-07:00</updated>
  <generator build="176231" version="6.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/datamodel/model/_new" rel="create"/>
  <link href="/services/datamodel/model/desc" rel="desc"/>
  <link href="/services/datamodel/model/report" rel="report"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>MyApp</title>
    <id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/model/MyApp</id>
    <updated>2013-08-23T15:03:13-07:00</updated>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="list"/>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="acceleration">{"enabled": false}</s:key>
        <s:key name="description"><![CDATA[{"objects": [{"lineage": "HTTP_Request", "previewSearch": " | search  (sourcetype=access_* OR sourcetype=iis*)
        . . . elided . . .
         "modelName": "MyApp", "displayName": "Web Intelligence"}]]>
        </s:key>
        <s:key name="displayName">Web Intelligence</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>power</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:digest">b8ebd9315dddf8a5e572187f57ddc9de</s:key>
        <s:key name="eai:type">models</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
  . . . elided . . .
</feed>

datamodel/model POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/datamodel/model -d name=Debugger --data-urlencode description='{"modelName":"Debugger","displayName":"Debugger", "description": "A data model for debugging purposes". . . elided . . . }'
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://qa-sv-rh61x64-10:8089/services/datamodel/model</id>
  <updated>2013-10-16T11:19:24-07:00</updated>
  <generator build="183095" version="6.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/datamodel/model/_new" rel="create"/>
  <link href="/services/datamodel/model/desc" rel="desc"/>
  <link href="/services/datamodel/model/report" rel="report"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>Debugger</title>
    <id>https://qa-sv-rh61x64-10:8089/servicesNS/admin/search/datamodel/model/Debugger</id>
    <updated>2013-10-16T11:19:24-07:00</updated>
    <link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="list"/>
    <link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="edit"/>
    <link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="acceleration">{"enabled": false}</s:key>
        <s:key name="description">
          <![CDATA[{"displayName": "Debugger", "modelName": "Debugger", "objectSummary": \
        ...
        "autoextractSearch": " (index = _internal) "}]}]]>
        </s:key>
        <s:key name="displayName">Debugger</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          {'optionalFields': ['acceleration', 'acceleration.cron_schedule', \
           'acceleration.earliest_time', 'eai:data'], 'requiredFields': [], 'wildcardFields': []}
        </s:key>
        <s:key name="eai:digest">05ca1a193365a3b613b919c6401591e3</s:key>
        <s:key name="eai:type">models</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

datamodel/model/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/services/datamodel/model/MyApp
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
  <updated>2013-08-24T15:00:54-07:00</updated>
  <generator build="178272" version="6.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/datamodel/model/_new" rel="create"/>
  <link href="/services/datamodel/model/desc" rel="desc"/>
  <link href="/services/datamodel/model/report" rel="report"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

datamodel/model/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/datamodel/model/MyApp
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
  <updated>2013-08-24T13:07:36-07:00</updated>
  <generator build="178272" version="6.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/datamodel/model/_new" rel="create"/>
  <link href="/services/datamodel/model/desc" rel="desc"/>
  <link href="/services/datamodel/model/report" rel="report"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>MyApp</title>
    <id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/model/MyApp</id>
    <updated>2013-08-24T13:07:36-07:00</updated>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="list"/>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="acceleration">{"enabled": false}</s:key>
        <s:key name="description"><![CDATA[{"modelName": "MyApp", "objectNameList": ["HTTP_Request", "ApacheAccessSearch", "IISAccessSearch",
        . . . elided . . .
        "Interface Implementations": 0, "Search-Based": 1}, "description": "Data model for web analytics.", "displayName": "Web Intelligence"}]]>
        </s:key>
        <s:key name="displayName">Web Intelligence</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>acceleration</s:item>
                <s:item>concise</s:item>
                <s:item>description</s:item>
                <s:item>provisional</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:digest">b8ebd9315dddf8a5e572187f57ddc9de</s:key>
        <s:key name="eai:type">models</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

datamodel/model/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/datamodel/model/MyApp -d concise=true
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
  <updated>2013-08-24T13:35:54-07:00</updated>
  <generator build="178272" version="6.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/datamodel/model/_new" rel="create"/>
  <link href="/services/datamodel/model/desc" rel="desc"/>
  <link href="/services/datamodel/model/report" rel="report"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>MyApp</title>
    <id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/model/MyApp</id>
    <updated>2013-08-24T13:35:54-07:00</updated>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="list"/>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="acceleration">{"enabled": false, "earliest_time": "-1mon"}</s:key>
        <s:key name="description"><![CDATA[{"modelName": "MyApp", "objects": [{"constraints": [{"search": "sourcetype=access_* OR
        . . . elided . . .
        "PodcastDownload", "WebSession", "User"], "description": "Data model for web analytics."}]]>
        </s:key>
        <s:key name="displayName">Web Intelligence</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">{'wildcardFields': [], 'requiredFields': [], 'optionalFields': ['acceleration', 'acceleration.cron_schedule', 'acceleration.earliest_time', 'eai:data']}</s:key>
        <s:key name="eai:digest">d73ff2d833e3104eed99a8fd258dbae1</s:key>
        <s:key name="eai:type">datamodels</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

datamodel/pivot GET

XML
XML Request

curl -k -u admin:pass -G https://localhost:8089/services/datamodel/pivot/Authentication --data-urlencode pivot_search='| pivot Authentication Untagged_Authentication count(Untagged_Authentication) AS "Count of Untagged Authentication (S.o.S)"'
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://localhost:8089/services/datamodel/pivot</id>
  <updated>2013-08-26T15:07:57-07:00</updated>
  <generator build="178683" version="20130826"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>Authentication</title>
    <id>https://localhost:8089/servicesNS/nobody/search/datamodel/pivot/Authentication</id>
    <updated>2013-08-26T15:07:57-07:00</updated>
    <link href="/servicesNS/nobody/search/datamodel/pivot/Authentication" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/datamodel/pivot/Authentication" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="drilldown_search">| search (login OR "log in" OR authenticated) sourcetype!=stash NOT tag=authentication | stats count AS "Count of Untagged Authentication (S.o.S)"  | fields , "Count of Untagged Authentication (S.o.S)"| fillnull "Count of Untagged Authentication (S.o.S)"</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>is_pivot_command</s:item>
                <s:item>namespace</s:item>
                <s:item>pivot_json</s:item>
                <s:item>pivot_search</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:digest">e74d56a3b4a25256028f3a236e3d2cbc</s:key>
        <s:key name="eai:type">models</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="open_in_search">| search (login OR "log in" OR authenticated) sourcetype!=stash NOT tag=authentication | stats count AS "Count of Untagged Authentication (S.o.S)"  | fields , "Count of Untagged Authentication (S.o.S)"| fillnull "Count of Untagged Authentication (S.o.S)"</s:key>
        <s:key name="pivot_json"><![CDATA[{"rowFormat": {"showSummary": false}, "cells": [{"label": "Count of Untagged Authentication (S.o.S)", "value": "count", "fieldName": "Untagged_Authentication", "type": "objectCount", "owner": "Untagged_Authentication"}], "filters": [], "modelName": "Authentication", "baseClass": "Untagged_Authentication", "rows": [], "columns": [], "colFormat": {"showSummary": false, "showOther": true}}]]></s:key>
        <s:key name="pivot_search">| pivot Authentication Untagged_Authentication count(Untagged_Authentication) AS "Count of Untagged Authentication (S.o.S)"</s:key>
        <s:key name="search">| search (login OR "log in" OR authenticated) sourcetype!=stash NOT tag=authentication | stats count AS "Count of Untagged Authentication (S.o.S)"  | fields , "Count of Untagged Authentication (S.o.S)"| fillnull "Count of Untagged Authentication (S.o.S)"</s:key>
        <s:key name="tstats_search"></s:key>
      </s:dict>
    </content>
  </entry>
</feed>

directory GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/directory
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
  xmlns:s="http://dev.splunk.com/ns/rest"
  xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>directory</title>
  <id>https://localhost:8089/services/directory</id>
  <updated>2011-05-16T19:03:40-0700</updated>
  <generator version="98144"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>_admin</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/ui/views/_admin</id>
    <updated>2011-05-16T19:03:40-0700</updated>
    <link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="list"/>
    <link href="/servicesNS/nobody/system/data/ui/views/_admin/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="eai:type">views</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>abc</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/ui/views/abc</id>
    <updated>2011-05-16T19:03:40-0700</updated>
    <link href="/servicesNS/nobody/search/data/ui/views/abc" rel="alternate"/>
    <author>
      <name>ssorkin</name>
    </author>
    <link href="/servicesNS/nobody/search/data/ui/views/abc" rel="list"/>
    <link href="/servicesNS/nobody/search/data/ui/views/abc/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/ui/views/abc" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="eai:type">views</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

directory/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/directory/dashboard_live
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>directory</title>
  <id>https://localhost:8089/services/directory</id>
  <updated>2011-05-16T19:09:59-0700</updated>
  <generator version="98144"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>dashboard_live</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/ui/views/dashboard_live</id>
    <updated>2011-05-16T19:09:59-0700</updated>
    <link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="list"/>
    <link href="/servicesNS/nobody/search/data/ui/views/dashboard_live/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
            <s:dict>
                <s:key name="optionalFields">
                    <s:list/>
                </s:key>
                <s:key name="requiredFields">
                    <s:list/>
                </s:key>
                <s:key name="wildcardFields">
                    <s:list/>
                </s:key>
            </s:dict>
        </s:key>
        <s:key name="eai:type">views</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/eventtypes GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:46:52-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>internal_search_terms</title>
    <id>https://localhost:8089/servicesNS/nobody/system/saved/eventtypes/internal_search_terms</id>
    <updated>2011-07-10T23:46:52-07:00</updated>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="list"/>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="edit"/>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description"/>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="priority">1</s:key>
        <s:key name="search">
<![CDATA[( "After evaluating args" OR "Before evaluating args" OR "context dispatched for search=" OR "SearchParser - PARSING" OR "got search" OR "_dispatchNewSearch - search" OR "search:* - q" OR ( decomposition fullsearch ) OR "PAAAAAARSER! - search" OR "view:* - DECOMPOSITION" OR "Splunk.Module.SearchBar .setInputField" OR ( typeahead prefix ) OR "DEBUG HTTPServer - Deleting request=GET" OR /en-US/api/search/typeahead )]]>        </s:key>
        <s:key name="tags">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/eventtypes POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes -d name="client-errors" --data-urlencode search=search="http client error NOT (403 OR 404)"
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:47:10-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>client-errors</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
    <updated>2011-07-10T23:47:10-07:00</updated>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description"/>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="priority">1</s:key>
        <s:key name="search">search</s:key>
        <s:key name="tags">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/eventtypes/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:48:29-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

saved/eventtypes/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:47:17-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>client-errors</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
    <updated>2011-07-10T23:47:17-07:00</updated>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description"/>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>description</s:item>
                <s:item>disabled</s:item>
                <s:item>priority</s:item>
                <s:item>tags</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>search</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="priority">1</s:key>
        <s:key name="search">search</s:key>
        <s:key name="tags">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/eventtypes/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors -d description="HTTP Client Errors" --data-urlencode search=search="http client error NOT (403 OR 404)"
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:48:22-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>client-errors</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
    <updated>2011-07-10T23:48:22-07:00</updated>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description">HTTP Client Errors</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="priority">1</s:key>
        <s:key name="search">search</s:key>
        <s:key name="tags">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

search/fields GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>Fields</title>
  <id>/servicesNS/admin/search/search/fields</id>
  <updated>2011-07-11T10:04:51-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>_indextime</title>
    <id>/servicesNS/admin/search/search/fields/_indextime</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/_indextime" rel="alternate"/>
  </entry>
  <entry>
    <title>_sourcetype</title>
    <id>/servicesNS/admin/search/search/fields/_sourcetype</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/_sourcetype" rel="alternate"/>
  </entry>
  <entry>
    <title>date_hour</title>
    <id>/servicesNS/admin/search/search/fields/date_hour</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/date_hour" rel="alternate"/>
  </entry>

  . . . elided . . .

  <entry>
    <title>splunk_server</title>
    <id>/servicesNS/admin/search/search/fields/splunk_server</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/splunk_server" rel="alternate"/>
  </entry>
  <entry>
    <title>timeendpos</title>
    <id>/servicesNS/admin/search/search/fields/timeendpos</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/timeendpos" rel="alternate"/>
  </entry>
  <entry>
    <title>timestartpos</title>
    <id>/servicesNS/admin/search/search/fields/timestartpos</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/timestartpos" rel="alternate"/>
  </entry>
</feed>

search/fields/{field_name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/sourcetype
XML Response

<entry xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype</title>
  <id>/servicesNS/admin/search/search/fields/sourcetype</id>
  <updated>2011-07-11T10:08:54-07:00</updated>
  <link href="/servicesNS/admin/search/search/fields/sourcetype" rel="alternate"/>
  <content type="text">        Attr:INDEXED        True
        Attr:INDEXED_VALUE        False
        Attr:TOKENIZER        
</content>
</entry>

search/fields/{field_name}/tags GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/host/tags
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>Tags for the host field</title>
  <id>/servicesNS/admin/search/search/fields/host/tags</id>
  <updated>2011-07-11T10:41:46-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>location::sfo</title>
    <id>/servicesNS/admin/search/search/fields/host/tags#location::sfo</id>
    <updated>2011-07-11T10:41:46-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/host/tags#location::sfo" rel="alternate"/>
  </entry>
</feed>

search/fields/{field_name}/tags POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/host/tags -d add=sfo -d delete=nyc -d value=location
XML Response

<response>
  <messages>
    <msg type='INFO'>Successfully processed adds/deletes for field host</msg>
  </messages>
</response>

search/tags GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>Tags</title>
  <id>/servicesNS/admin/search/search/tags</id>
  <updated>2011-07-08T01:35:09-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>machine</title>
    <id>/servicesNS/admin/search/search/tags/machine</id>
    <updated>2011-07-08T01:35:09-07:00</updated>
    <link href="/servicesNS/admin/search/search/tags/machine" rel="alternate"/>
  </entry>
  <entry>
    <title>user</title>
    <id>/servicesNS/admin/search/search/tags/user</id>
    <updated>2011-07-08T01:35:09-07:00</updated>
    <link href="/servicesNS/admin/search/search/tags/user" rel="alternate"/>
  </entry>
</feed>

search/tags/{tag_name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/search/tags/user
XML Response

<response>
  <messages>
    <msg type="INFO">Tag successfully deleted</msg>
  </messages>
</response>

search/tags/{tag_name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags/user
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>Field::Value pairs with tag user</title>
  <id>/servicesNS/admin/search/search/tags/user</id>
  <updated>2011-07-08T01:35:28-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>eventtype::userupdate</title>
    <id>/servicesNS/admin/search/search/tags/user#eventtype::userupdate</id>
    <updated>2011-07-08T01:35:28-07:00</updated>
    <link href="/servicesNS/admin/search/search/tags/user#eventtype::userupdate" rel="alternate"/>
  </entry>
</feed>

search/tags/{tag_name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags/user -d add=eventtype::userupdate -d delete=eventtype::useradd-suse
XML Response

<response>
  <messages>
    <msg type="INFO">Processed adds/deletes for tag</msg>
  </messages>
</response>


services/admin/summarization GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/admin/summarization/?by_tstats=1
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>summarization</title>
  <id>https://localhost:8089/services/admin/summarization</id>
  <updated>2015-06-01T15:21:20-07:00</updated>
  <generator build="e343948e242181aa7b94257ede83830605c853d9" version="20150526"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/summarization/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>tstats:DM_search_mydatamodel</title>
    <id>https://localhost:8089/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel</id>
    <updated>2015-06-01T15:21:20-07:00</updated>
    <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel" rel="list"/>
    <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel" rel="remove"/>
    <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel/details" rel="details"/>
    <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel/reschedule" rel="reschedule"/>
    <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel/touch" rel="touch"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms"/>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">user</s:key>
          </s:dict>
        </s:key>
        <s:key name="search"><![CDATA[search search (index=* OR index=_*) (index=_internal) | eval nodename = "rootevent"| eval is_Age=if(searchmatch("(avg_age)"),1,0), is_not_Age=1-is_Age | eval nodename = if(nodename == "rootevent" AND searchmatch("(avg_age)"), mvappend(nodename, "rootevent.Age"), nodename) | rename abandoned_channels AS rootevent.abandoned_channels average_kbps AS rootevent.average_kbps avg_age AS rootevent.avg_age bytes AS rootevent.bytes clientip AS rootevent.clientip color AS rootevent.color component AS rootevent.component cookie AS rootevent.cookie cpu_seconds AS rootevent.cpu_seconds cumulative_hits AS rootevent.cumulative_hits current_queue_size AS rootevent.current_queue_size current_size AS rootevent.current_size current_size_kb AS rootevent.current_size_kb date_hour AS rootevent.date_hour is_Age AS rootevent.is_Age is_not_Age AS rootevent.is_not_Age | fields nodename, _time, host, source, sourcetype, rootevent.abandoned_channels, rootevent.average_kbps, rootevent.avg_age, rootevent.bytes, rootevent.clientip, rootevent.color, rootevent.component, rootevent.cookie, rootevent.cpu_seconds, rootevent.cumulative_hits, rootevent.current_queue_size, rootevent.current_size, rootevent.current_size_kb, rootevent.date_hour, rootevent.is_Age, rootevent.is_not_Age]]></s:key>
        <s:key name="summary.access_count">0</s:key>
        <s:key name="summary.access_time">0</s:key>
        <s:key name="summary.buckets">22</s:key>
        <s:key name="summary.buckets_size">273</s:key>
        <s:key name="summary.complete">1.000000</s:key>
        <s:key name="summary.earliest_time">1432174156</s:key>
        <s:key name="summary.id">DM_search_mydatamodel</s:key>
        <s:key name="summary.is_inprogress">0</s:key>
        <s:key name="summary.last_error"></s:key>
        <s:key name="summary.last_sid">scheduler__nobody__search__RMD5692d85674596d683_at_1433197200_18815</s:key>
        <s:key name="summary.latest_time">1432684089</s:key>
        <s:key name="summary.mod_time">1433196908</s:key>
        <s:key name="summary.size">61153280</s:key>
        <s:key name="summary.time_range">604800</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

KV store endpoints

KV store endpoint descriptions

This introduction describes syntax common to all App KV Store REST endpoints. For a description of how to use the App KV Store REST API, see App Key Value Store.

App KV store REST API features

App KV store provides:

Limits
Collections

A Collection is a container of "documents" or "values". Most documents have a similar structure, although structure is not enforced. For example, a Collection might have Notable Events or entities.

Collections are declared in a collections.conf configuration file, where a stanza is a single collection.

Collections are Splunk Enterprise entities, which means they are permissioned using the Splunk Enterprise RBAC/ACL system. One reason of exposing Collections as entities is to ensure they are properly managed by Splunk Enterprise. But, the implementation permits only app-level collections. This means that collections can be defined only in the etc/apps/<app>/<default|local> directory, not in etc/users/.... Attempts to create a user-specific Collection using the API fail and Collections created manually in the .conf files are ignored.

Data

A collection stores key-value pairs consisting of a user-specified or autogenerated key and a JSON document-formatted value. A JSON document/object of values is enforced for simplicity instead of using integer or string raw values. For example, {"_key": "10.0.0.1", host: "bar.com"} defines the key ("10.0.0.1") and the full JSON document value.

A key is fetched, updated, and deleted. Partial updates, including array append, are prohibited. You must set the whole document. Keys are unique within a collection and support only the basic JSON data types: boolean, string, number, object, array, and null.

A value is specified in the _key attribute of the document and, if one is not specified, a random value with a desirable sort order is automatically generated.

A collection defined at:

/servicesNS/nobody/search/storage/mycollection

can have operations performed on it using the following URLs:

/servicesNS/nobody/search/storage/mycollection /servicesNS/itay/search/storage/mycollection /servicesNS/mark/search/storage/mycollection

Namespaces are separate, and data are not interleaved. Wildcard operations on the <user> or <app> parts of the namespace are prohibited.

User-specific collections are not supported so all users, including nobody, share a single namespace and _key is unique across all namespaces.

Types

Defining a set of types for some fields in a collection is provided. If a field has no type defined, it uses the type submitted over the API. If a type conversion fails, the insert/update operation is aborted. For example, if the collections.conf file has the following collection,


[mycollection]
field.enabled = bool
field.data.range = cidr

the data inserted or updated in the collection have the fields enabled and range-converted to the applicable type:


* array
* number
* boolean
* time
* string
* cidr

Items need to specified using the field prefix only if type needs to be enforced for the field. The array type is not enforceable so does not need to be specified.

Arrays

Arrays do not change a nested key name. For example, the key "a.b.c" can refer to {"a": {"b": {"c": 1}}} or {"a": {"b": [{"c": 1}]}}.

Numbers

All strings/numbers/booleans are converted to doubles. If a number fails to convert, it inserts the string instead. Booleans All numbers/strings/booleans are converted to booleans. If a boolean fails to convert, it inserts the string instead. Epoch time can be a string or as a number. If it fails to convert, the string version is inserted.

Strings

Everything is converted to a string.

CIDR

All provided strings are converted to canonical CIDR strings. For example:


127.0.0.1       -> 127.000.000.001/32
127.0.0.0/24    -> 127.000.000.000/24
127.0.0/24      -> 127.000.000.000/24

with similar canonicalization for IPv6:


2001:db8::/96               -> 2001:0db8:0000:0000:0000:0000:0000:0000/096
2001:db8:0:0:0:0:0:ffff     -> 2001:0db8:0000:0000:0000:0000:0000:ffff/128
Queries

Combining the Data and Index patterns, gives the ability to do basic querying. Queries are limited to the basic operators available in most databases, and at the moment do not expose in-array and not-in-array containers. A query may have the following operators:

Queries are permitted whether or not an index covers the query. If it the index does not cover the query, the query takes longer. For example, a query to find all Notable Events authored by userA or userB might look like:


{ $or: [ { author: "userA" }, { author: "userB" } ] }
REST methods

The REST API for App KV Store implements the GET, PUT, POST, and DELETE methods described in this reference.

The PUT and POST methods are interchangeable, having identical behavior.

storage/collections/config


https://<host>:<mPort>/servicesNS/{owner}/{app}/storage/collections/config

Authentication: Required

Description

Create or list connections.

Method summary
Method Description Formats
GET List all collections. XML, JSON
PUT, POST Create a new collection. XML, JSON

GET storage/collections/config method detail

Example

Request parameters

None

Response data keys
Name Description
disabled Collection state:
true = disabled.
false = [Default] enabled.
profilingEnabled Profiling status of slow-running operations:
true = Profiling enabled.
false = (Default) Profiling disabled.
profilingThresholdMs Threshold for logging slow-running operations, in milliseconds. Applies only if profilingEnabled = true.

PUT, POST storage/collections/config method detail

Example

Request parameters
Name Type Default Description
name
required
String Collection name.
profilingEnabled Boolean A collections.conf file property. Affects profilingThresholdMs. Enable profiling of slow-running operations:
true = Enable profiling.
false = (Default) Disable profiling.
profilingThresholdMs Number Threshold for logging slow-running operations, in milliseconds. Applies only if profilingEnabled = true. This can have a performance impact on the collection.
0 = Log all slow-running operations.
Default = 100.


Response data keys
Name Description
disabled Collection state:
true = disabled.
false = [Default] enabled.
profilingEnabled Profiling status of slow-running operations, affecting profilingThresholdMs:
true = Profiling enabled.
false = (Default) Profiling disabled.
profilingThresholdMs Threshold for logging slow-running operations, in milliseconds. Applies only if profilingEnabled = true.
Application usage

[ Top ]



storage/collections/config/{collection}


https://<host>:<mPort>/servicesNS/{owner}/{app}/storage/collections/config/{collection}

Authentication: Required

Description

Manage a specific collection.

Method summary
Method Description Formats
DELETE Drop the {collection} collection. XML, JSON
GET Get {collection} collection information. XML, JSON
POST Update the {collection} collection. XML, JSON

DELETE storage/collections/config/{collection} method detail

Example

Request parameters

None

Response data keys

None


GET storage/collections/config/{collection} method detail

Example

Request parameters

None

Response data keys
Name Description
disabled Collection state:
true = disabled.
false = [Default] enabled.
field.<fieldType> Field type for field <fieldType>. One of:
array
number
bool
string
cidr
time
index.<indexName> Index definition named <indexName>.
profilingEnabled Profiling status of slow-running operations, affecting profilingThresholdMs:
true = Profiling enabled.
false = (Default) Profiling disabled.
profilingThresholdMs Threshold for logging slow-running operations, in milliseconds. Applies only if profilingEnabled = true.

POST storage/collections/config/{collection} method detail

Example

Request parameters
Name Type Default Description
field.<fieldType> String Field type for field <fieldType>. One of:
array
number
bool
string
cidr
time
index.<indexName> String Index definition named <indexName>.
Response data keys
Name Description
disabled Collection state:
true = disabled.
false = [Default] enabled.
field.<fieldType> Field type for field <fieldType>. One of:
array
number
bool
string
cidr
time
index.<indexName> Index definition named <indexName>.
profilingEnabled Profiling status of slow-running operations, affecting profilingThresholdMs:
true = Profiling enabled.
false = (Default) Profiling disabled.
profilingThresholdMs Threshold for logging slow-running operations, in milliseconds. Applies only if profilingEnabled = true.
Application usage

[ Top ]



storage/collections/data/{collection}


https://<host>:<mPort>/servicesNS/{owner}/{app}/storage/collections/data/{collection}

Authentication: Required

Description

Manage items of a collection.

Method summary
Method Description Formats
DELETE Delete item(s) in the {collection} collection. XML, JSON
GET Get items in the {collection} collection. XML, JSON
PUT, POST Insert an item in the {collection} collection. JSON

DELETE storage/collections/data/{collection} method detail

Example

Response data keys

None

Application usage

The request deletes entries matching the query. If no query is provided, all entries in the collection are deleted.


GET storage/collections/data/{collection} method detail

Example

Request parameters
Name Type Default Description
fields String Comma-separated list of fields to include (1) or exclude (0). A fields value cannot contain both include and exclude specifications except for exclusion of the _id field. Examples:
fields=firstname,surname (Include only firstname, surname, and _id fields)
fields=firstname,surname,_id:0 (Include only the firstname and surname fields.
fields=address:0 (Include all fields except the address field)
limit Number Maximum number of items to return. Example:
limit=5 (Return five items)
skip Number Number of items to skip from the start. Example:
skip=10 (Skip first 10 items)
sort String Sort order. Examples:
sort=surname (Sort by surname, ascending)
sort=surname,firstname</<code> (Sort by <code>surname, ascending, after firstname, ascending)
sort=surname:-1,firstname:1 (Sort by surname, descending, after firstname, ascending
sort=surname:1,firstname<code> (Sort by <code>surname, ascending, after firstname, ascending
query JSON object Query JSON object.
Conditional operators: $gt, $gte, $lt, $lte, and $ne
Logical operators: $and, $or, and ,$not (invert conditional operators)
Examples:
query={"title":"Item"} (Select all documents with property title that has value Item)
query={"price":{"$gt":5}} (Select all documents with price greater than 5)
Response data keys

JSON document. Example:


[ { <span style="color: #008000; font-weight: bold">"myKey"</span> : <span style="color: #BA2121">"abc"</span>, <span style="color: #008000; font-weight: bold">"_user"</span> : <span style="color: #BA2121">"nobody"</span>, <span style="color: #008000; font-weight: bold">"_key"</span> : <span style="color: #BA2121">"5410be5441ba15298e4624d1"</span> } ]
Application usage

Parameter order does not matter. Parameters are always applied in the order of sort, skip, and limit.


PUT, POST storage/collections/data/{collection} method detail

Example

Request parameters

JSON-formatted document.

Example:


{ "name": "A" }
Response data keys

JSON-formatted document ID.

Example:


{
    "_id": "530bc62fc9a6577fdf13651f"
}
Application usage

The Content-Type header must be application/json.

The _id is autogenerated, if not manually specified.

[ Top ]



storage/collections/data/{collection}/{key}


https://<host>:<mPort>/servicesNS/{owner}/{app}/storage/collections/data/{collection}/{key}

Authentication: Required

Description

Manage a specific item of a collection.

Method summary
Method Description Formats
DELETE Delete item {key} in {collection}. XML, JSON
GET Get item in {collection} by {key} XML, JSON
PUT, POST Update the {key} item in {collection}. JSON

DELETE storage/collections/data/{collection}/{key} method detail

Example

Request parameters

None

Response data keys

None


GET storage/collections/data/{collection}/{key} method detail

Example

Request parameters

None

Response data keys

JSON-formatted {key} document.

Example:


{"myKey" : "abc", "myOtherKey" : "uvwxyz", "_user" : "nobody", "_key" : "5410c8dc41ba15298e4624d5"}

PUT, POST storage/collections/data/{collection}/{key} method detail

Example

Request parameters

JSON-formatted document for {key}.

Example:


{ "myKey": "fizz"}
Response data keys

JSON-formatted {key}.

Example:


{"_key":"5410c8dc41ba15298e4624d5"}
Application usage

The header Content-Type must be application/json.

[ Top ]



storage/collections/data/{collection}/batch_save


https://<host>:<mPort>/servicesNS/storage/collections/data/{collection}/batch_save

Authentication: Required

Description

Perform multiple save operations.

Method summary
Method Description Formats
POST Perform multiple save operations. JSON

POST storage/collections/data/{collection}/batch_save method detail

Example

Request parameters

JSON array of documents to save.

Response data keys

JSON-formatted list of keys added.

Example:


[ "5410c43241ba15298e4624d3", "5418c54e41ba152267763c01" ]
Application usage

Header Content-Type must be application/json.

If a document does not have an _key field or store does not have a matching document ID, an _key new document is created.

If an operation fails, the server stops batch processing and returns an HTTP status code other than 200:

[ Top ]

KV store endpoint examples

storage/collections/config GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/collections/config
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>collections-conf</title> <id>https://localhost:8089/servicesNS/nobody/search/storage/collections/config</id> <updated>2014-09-02T11:28:27-07:00</updated> <generator build="229629" version="6.2"/>

<author>
  <name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/storage/collections/config/_new" rel="create"/>
<link href="/servicesNS/nobody/search/storage/collections/config/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
  <title>kvstoredemo</title>
  <id>https://localhost:8089/servicesNS/nobody/search/storage/collections/config/kvstoredemo</id>
  <updated>2014-09-02T11:28:27-07:00</updated>
  <link href="/servicesNS/nobody/search/storage/collections/config/kvstoredemo" rel="alternate"/>
  <author>
    <name>admin</name>
  </author>
  <link href="/servicesNS/nobody/search/storage/collections/config/kvstoredemo" rel="list"/>
  <link href="/servicesNS/nobody/search/storage/collections/config/kvstoredemo/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/storage/collections/config/kvstoredemo" rel="edit"/>
  <link href="/servicesNS/nobody/search/storage/collections/config/kvstoredemo" rel="remove"/>
  <link href="/servicesNS/nobody/search/storage/collections/config/kvstoredemo/disable" rel="disable"/>
  <content type="text/xml">
    <s:dict>
      <s:key name="disabled">0</s:key>
      <s:key name="eai:acl"> ... elided ... </s:key>
      <s:key name="eai:appName">search</s:key>
      <s:key name="eai:userName">nobody</s:key>
      <s:key name="profilingEnabled">false</s:key>
      <s:key name="profilingThresholdMs">100</s:key>
    </s:dict>
  </content>
</entry>
<entry>
  <title>test</title>
  <id>https://localhost:8089/servicesNS/nobody/search/storage/collections/config/test</id>
  <updated>2014-09-02T11:28:27-07:00</updated>
  <link href="/servicesNS/nobody/search/storage/collections/config/test" rel="alternate"/>
  <author>
    <name>admin</name>
  </author>
  <link href="/servicesNS/nobody/search/storage/collections/config/test" rel="list"/>
  <link href="/servicesNS/nobody/search/storage/collections/config/test/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/storage/collections/config/test" rel="edit"/>
  <link href="/servicesNS/nobody/search/storage/collections/config/test" rel="remove"/>
  <link href="/servicesNS/nobody/search/storage/collections/config/test/disable" rel="disable"/>
  <content type="text/xml">
    <s:dict>
      <s:key name="disabled">0</s:key>
      <s:key name="eai:acl"> ... elided ...</s:key>
      <s:key name="eai:appName">search</s:key>
      <s:key name="eai:userName">nobody</s:key>
      <s:key name="profilingEnabled">false</s:key>
      <s:key name="profilingThresholdMs">100</s:key>
    </s:dict>
  </content>
</entry>

</feed>


storage/collections/config POST

XML
XML Request

curl -k -u admin:changeme -d name=test1 http://localhost:8089/servicesNS/nobody/search/storage/collections/config
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>collections-conf</title> <id>https://localhost:8089/servicesNS/nobody/search/storage/collections/config</id> <updated>2014-09-02T11:25:32-07:00</updated> <generator build="229629" version="6.2"/>

<author>
  <name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/storage/collections/config/_new" rel="create"/>
<link href="/servicesNS/nobody/search/storage/collections/config/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
  <title>test1</title>
  <id>https://localhost:8089/servicesNS/nobody/search/storage/collections/config/test1</id>
  <updated>2014-09-02T11:25:32-07:00</updated>
  <link href="/servicesNS/nobody/search/storage/collections/config/test1" rel="alternate"/>
  <author>
    <name>admin</name>
  </author>
  <link href="/servicesNS/nobody/search/storage/collections/config/test1" rel="list"/>
  <link href="/servicesNS/nobody/search/storage/collections/config/test1/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/storage/collections/config/test1" rel="edit"/>
  <link href="/servicesNS/nobody/search/storage/collections/config/test1" rel="remove"/>
  <link href="/servicesNS/nobody/search/storage/collections/config/test1/disable" rel="disable"/>
  <content type="text/xml">
    <s:dict>
      <s:key name="disabled">0</s:key>
      <s:key name="eai:acl"> ... elided ... </s:key>
      <s:key name="eai:appName">search</s:key>
      <s:key name="eai:userName">nobody</s:key>
      <s:key name="profilingEnabled">false</s:key>
      <s:key name="profilingThresholdMs">100</s:key>
    </s:dict>
  </content>
</entry>

</feed>


storage/collections/config/{collection} DELETE

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/collections/config/test -X DELETE
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>collections-conf</title>
 <id>https://localhost:8089/servicesNS/nobody/search/storage/collections/config</id>
 <updated>2014-06-02T20:08:11-07:00</updated>
 <generator build="210538" version="20140530"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/nobody/search/storage/collections/config/_new" rel="create"/>
 <link href="/servicesNS/nobody/search/storage/collections/config/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>

</feed>


storage/collections/config/{collection} GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/collections/config/test
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;> <title>collections-conf</title> <id>https://localhost:8089/servicesNS/nobody/search/storage/collections/config</id> <updated>2014-09-02T11:42:54-07:00</updated> <generator build="229629" version="6.2"/>

<author>

<name>Splunk</name>

</author> <link href="/servicesNS/nobody/search/storage/collections/config/_new" rel="create"/> <link href="/servicesNS/nobody/search/storage/collections/config/_reload" rel="_reload"/> ... opensearch nodes elided ... <s:messages/> <entry>

<title>test</title>
 <id>https://localhost:8089/servicesNS/nobody/search/storage/collections/config/test</id>
 <updated>2014-09-02T11:42:54-07:00</updated>
 <link href="/servicesNS/nobody/search/storage/collections/config/test" rel="alternate"/>
 <author>
   <name>admin</name>
 </author>
 <link href="/servicesNS/nobody/search/storage/collections/config/test" rel="list"/>
 <link href="/servicesNS/nobody/search/storage/collections/config/test/_reload" rel="_reload"/>
 <link href="/servicesNS/nobody/search/storage/collections/config/test" rel="edit"/>
 <link href="/servicesNS/nobody/search/storage/collections/config/test" rel="remove"/>
 <link href="/servicesNS/nobody/search/storage/collections/config/test/disable" rel="disable"/>
 <content type="text/xml">
   <s:dict>
     <s:key name="disabled">0</s:key>
     <s:key name="eai:acl"> ... elided ... </s:key>
     <s:key name="eai:appName">search</s:key>
     <s:key name="eai:attributes"> ... elided ... </s:key>
     <s:key name="eai:userName">nobody</s:key>
     <s:key name="profilingEnabled">false</s:key>
     <s:key name="profilingThresholdMs">100</s:key>
   </s:dict>
 </content>

</entry> </feed>


storage/collections/config/{collection} POST

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/collections/config/test -d 'index.foo={"a": 1}' -d 'index.bar={"b": -1}' -d "field.a=number" -d "field.b=cidr"
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>collections-conf</title> <id>https://localhost:8089/servicesNS/nobody/search/storage/collections/config</id> <updated>2014-09-02T11:50:57-07:00</updated> <generator build="229629" version="6.2"/>

<author>

<name>Splunk</name>

</author> <link href="/servicesNS/nobody/search/storage/collections/config/_new" rel="create"/> <link href="/servicesNS/nobody/search/storage/collections/config/_reload" rel="_reload"/> ... opensearch nodes elided ... <s:messages/> <entry>

<title>test</title>
 <id>https://localhost:8089/servicesNS/nobody/search/storage/collections/config/test</id>
 <updated>2014-09-02T11:50:57-07:00</updated>
 <link href="/servicesNS/nobody/search/storage/collections/config/test" rel="alternate"/>
 <author>
   <name>admin</name>
 </author>
 <link href="/servicesNS/nobody/search/storage/collections/config/test" rel="list"/>
 <link href="/servicesNS/nobody/search/storage/collections/config/test/_reload" rel="_reload"/>
 <link href="/servicesNS/nobody/search/storage/collections/config/test" rel="edit"/>
 <link href="/servicesNS/nobody/search/storage/collections/config/test" rel="remove"/>
 <link href="/servicesNS/nobody/search/storage/collections/config/test/disable" rel="disable"/>
 <content type="text/xml">
   <s:dict>
     <s:key name="disabled">0</s:key>
     <s:key name="eai:acl"> ... elided ... </s:key>
     <s:key name="eai:appName">search</s:key>
     <s:key name="eai:userName">nobody</s:key>
     <s:key name="index.foo">{"a": 1}

index.bar={"b": -1} field.a=number field.b=cidr</s:key>

    <s:key name="profilingEnabled">false</s:key>
     <s:key name="profilingThresholdMs">100</s:key>
   </s:dict>
 </content>

</entry> </feed>


storage/collections/data/{collection} DELETE

JSON DELETE all
JSON Request

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/collections/data/testCollectionA -X DELETE
JSON Response

None


storage/collections/data/{collection} GET

JSON
JSON Request

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/collections/data/testCollectionA
JSON Response

[ { "myKey" : "abc", "_user" : "nobody", "_key" : "5410be5441ba15298e4624d1" } ]


storage/collections/data/{collection} POST

JSON
JSON Request

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/collections/data/testCollectionA -H "Content-Type: application/json" -d '{ "myKey": "abc",  "myOtherKey": "abcdef"}'
JSON Response

{"_key":"5410be5441ba15298e4624d1"}


storage/collections/data/{collection}/{key} DELETE

JSON
JSON Request

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/collections/data/testCollectionA/5410caf041ba15298e4624d6 -X DELETE
JSON Response

None


storage/collections/data/{collection}/{key} GET

JSON
JSON Request

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/collections/data/testCollectionA/5410c8dc41ba15298e4624d5
JSON Response

{ "myKey" : "abc", "myOtherKey" : "uvwxyz", "_user" : "nobody", "_key" : "5410c8dc41ba15298e4624d5" }


storage/collections/data/{collection}/{key} POST

JSON
JSON Request

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/collections/data/testCollectionA/5410c8dc41ba15298e4624d5 -H "Content-Type: application/json" -d '{ "myKey": "fizz"}'
JSON Response

{"_key":"5410c8dc41ba15298e4624d5"}


storage/collections/data/{collection}/batch_save POST

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/collections/data/testCollectionA/batch_save -H "Content-Type: application/json" -d '[{ "_key": "5410c43241ba15298e4624d3", "name": "AAAAAAAA" },{ "name": "A" }]}'
XML Response

[ "5410c43241ba15298e4624d3", "5418c54e41ba152267763c01" ]

License endpoints

License endpoint descriptions

This page is currently a work in progress; expect frequent near-term updates.

Manage licensing configurations.

licenser/groups


https://<host>:<mPort>/services/licenser/groups

Authentication: Not required

Description

Provides access to the configuration of licenser groups.

A licenser group contains one or more licenser stacks that can operate concurrently. Only one licenser group is active at any given time.

Method summary
Method Description Formats
GET Lists all licenser groups. XML, JSON

GET licenser/groups method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
is_active Indicates if the license group is active.
stack_ids The license stacks in the license group.

[ Top ]



licenser/groups/{name}


https://<host>:<mPort>/services/licenser/groups/{name}

Authentication: Not required

Description

Manage the {name} licenser group.

Method summary
Method Description Formats
GET Lists a specific licenser group. XML, JSON
POST Activates specific licenser group with the side effect of deactivating the previously active one. XML, JSON

GET licenser/groups/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
is_active Indicates if the license group is active.
stack_ids The license stacks in the license group.
Application usage

A licenser group contains one or more licenser stacks that can operate concurrently. Only one licenser group is active at any given time.


POST licenser/groups/{name} method detail

Example

Request parameters
Name Type Default Description
is_active
required
Boolean Active specific licenser group
Response data keys

None

Application usage

There can only be a single active licenser group for a given instance of Splunk. Use this to switch between, for example, free to enterprise, or download-trial to free.

[ Top ]



licenser/licenses


https://<host>:<mPort>/services/licenser/licenses

Authentication: Not required

Description

Provides access to the licenses for this Splunk Enterprise instance.

A license enables various features for a splunk instance, including but not limitted to indexing quota, auth, search, forwarding, and so forth.

Method summary
Method Description Formats
GET Lists all licenses added. XML, JSON
POST Add a license entitlement to this instance. XML, JSON

GET licenser/licenses method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
creation_time The creation time of this license, in Coordinated Universal Time (UTC).
expiration_time The time this license expires, in Coordinated Universal Time (UTC).
features The list of features and components enabled by this license.
group_id The ID of the group to which this license belongs.
label Plain text description of this license.
license_hash Unique identifier for the license.

The REST API uses this identifier to access this license.

max_violations The maximum number of violations allowed during the specified window period (window_period.

Searching is disabled when max_violations is exceeded.

quota Daily indexing quota, in bytes, for this license.
sourcetypes The list of allowed sourcetypes for this list. You cannot use this license to index sourcetypes that are not present in this list.

An empty list indicates all sourcetypes are allowed.

stack_id The ID of the license stack to which this license belongs.
status The status of a license can be either VALID or EXPIRED.
type Provides any additional information about the type of this license.
window_period The rolling period, in days, in which violations are aggregated.
Application usage

Only a subset of these licenses may be active however, this is simply listing all licenses in every stack/group, regardless of which group is active.


POST licenser/licenses method detail

Example

Request parameters
Name Type Default Description
name
required
string Path to license file on server. If the payload parameter is specified, the name parameter is ignored.
payload string String representation of license, encoded in xml
Response data keys
Name Description
creation_time The creation time of this license, in Coordinated Universal Time (UTC).
expiration_time The time this license expires, in Coordinated Universal Time (UTC).
features The list of features and components enabled by this license.
group_id The ID of the group to which this license belongs.
label Plain text description of this license.
license_hash Unique identifier for the license.

The REST API uses this identifier to access this license.

max_violations The maximum number of violations allowed during the specified window period (window_period.

Searching is disabled when max_violations is exceeded.

payload String representation of license, encoded in xml.
quota Daily indexing quota, in bytes, for this license.
sourcetypes The list of allowed sourcetypes for this list. You cannot use this license to index sourcetypes that are not present in this list.

An empty list indicates all sourcetypes are allowed.

stack_id The ID of the license stack to which this license belongs.
status The status of a license can be either VALID or EXPIRED.
type Provides any additional information about the type of this license.
window_period The rolling period, in days, in which violations are aggregated.

[ Top ]



licenser/licenses/{name}


https://<host>:<mPort>/services/licenser/licenses/{name}

Authentication: Not required

Description

Manage the {name} license.

Method summary
Method Description Formats
DELETE Delete the license with hash corresponding to {name}. XML, JSON
GET List attributes of specific license. XML, JSON

DELETE licenser/licenses/{name} method detail

Example

Request parameters

None

Response data keys

None

Application usage

You cannot delete the last license out of an active group. First, deactivate the group (by switching to another group) and then perform the delete.


GET licenser/licenses/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
creation_time The creation time of this license, in Coordinated Universal Time (UTC).
expiration_time The time this license expires, in Coordinated Universal Time (UTC).
features The list of features and components enabled by this license.
group_id The ID of the group to which this license belongs.
label Plain text description of this license.
license_hash Unique identifier for the license.

The REST API uses this identifier to access this license.

max_violations The maximum number of violations allowed during the specified window period (window_period.

Searching is disabled when max_violations is exceeded.

quota Daily indexing quota, in bytes, for this license.
sourcetypes The list of allowed sourcetypes for this list. You cannot use this license to index sourcetypes that are not present in this list.

An empty list indicates all sourcetypes are allowed.

stack_id The ID of the license stack to which this license belongs.
status The status of a license can be either VALID or EXPIRED.
type Provides any additional information about the type of this license.
window_period The rolling period, in days, in which violations are aggregated.
Application usage

The {name} portion of URL is actually the hash of the license payload.

[ Top ]



licenser/localslave


https://<host>:<mPort>/services/licenser/localslave

Authentication: Required

Description

Get information about relevant license state for the splunk instance.

Method summary
Method Description Formats
GET Get information about relevant license state for the splunk instance XML, JSON

GET licenser/localslave method detail

Example

Request parameters

None

Response data keys
Name Description
add_ons List of add-ons resident on this instance, and add-on parameters.
connection_timeout Instance connection timeout (seconds).
features List of key-value pairs of the following features and their ENABLED/DISABLED status:
  • Acceleration
  • AdvancedSearchCommands
  • AdvancedXML
  • Alerting
  • AllowDuplicateKeys
  • Auth
  • CanBeRemoteMaster
  • CustomRoles
  • DeployClient
  • DeployServer
  • DistSearch
  • FwdData
  • GuestPass
  • KVStore
  • LDAPAuth
  • LocalSearch
  • MultisiteClustering
  • NontableLookups
  • RcvData
  • RcvSearch
  • ResetWarnings">DISABLED_DUE_TO_LICENSE</s:key>
  • RollingWindowAlerts
  • ScheduledAlerts
  • ScheduledReports
  • ScheduledSearch
  • SearchheadPooling
  • SigningProcessor
  • SplunkWeb
  • SyslogOutputProcessor
  • UnisiteClustering
last_master_contact_attempt_time Time of last attempt to contact master.
last_master_contact_success_time Time of last successful attempt to contact master.
last_trackerdb_service_time Time of last license servicing, tracking persistent store.
license_keys List of license keys this instance is using.
master_guid Master license GUID.
master_uri Master license URI.
receive_timeout Network layer receive timeout for communication to master (seconds).
send_timeout Network layer send timeout for communication to master (seconds).
slave_id This instance GUID.
slave_label This instance server name.
squash_threshold Threshold that enables source/host squashing of rows of usage data sent to master periodically.

[ Top ]



licenser/messages


https://<host>:<mPort>/services/licenser/messages

Authentication: Not required

Description

Provides access to licenser messages.

Messages may range from helpful warnings about being close to violations, licenses expiring or more severe alerts regarding overages and exceeding license warning window.

Method summary
Method Description Formats
GET Lists all messages/alerts/persisted warnings for this node. XML, JSON

GET licenser/messages method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
category Indicates the category for the licenser message. The category can be any of the following:

license_window

pool_over_quota

stack_over_quota

orphan_slave

pool_warning_count

pool_violated_slave_count

create_time The time the message was created in the system, expressed in Coordinated Universal time (UTC).
description The actual licenser message that is displayed.
pool_id The ID of the licesne pool to which the message applies.

If a pool ID is not present, then the message in not applicable to a specific license pool.

severity Indicates the severity of the message. The severity can be any of the following:

INFO

WARN

ERROR

slave_id The ID of the license slave to which the message applies.
stack_id The ID of the license stack to which the message applies.

If a stack ID is not present, thae the message is not applicable to a specific license stack.

[ Top ]



licenser/messages/{name}


https://<host>:<mPort>/services/licenser/messages/{name}

Authentication: Not required

Description

Get the message with message ID {name}.

Method summary
Method Description Formats
GET List specific message whose msgId corresponds to {name} component. XML, JSON

GET licenser/messages/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
category Indicates the category for the licenser message. The category can be any of the following:

license_window

pool_over_quota

stack_over_quota

orphan_slave

pool_warning_count

pool_violated_slave_count

create_time The time the message was created in the system, expressed in Coordinated Universal time (UTC).
description The actual licenser message that is displayed.
pool_id The ID of the licesne pool to which the message applies.

If a pool ID is not present, then the message in not applicable to a specific license pool.

severity Indicates the severity of the message. The severity can be any of the following:

INFO

WARN

ERROR

slave_id The ID of the license slave to which the message applies.
stack_id The ID of the license stack to which the message applies.

If a stack ID is not present, thae the message is not applicable to a specific license stack.

[ Top ]



licenser/pools


https://<host>:<mPort>/services/licenser/pools

Authentication: Not required

Description

Provides access to the licenser pools configuration.

A pool logically partitions the daily volume entitlements of a stack. You can use a license pool to divide license privileges amongst multiple slaves.

Method summary
Method Description Formats
GET Enumerates all pools. XML, JSON
POST Create a license pool. XML, JSON

GET licenser/pools method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
description Description of the license pool.
quota The byte quota of this license pool.

MAX: maximum amount allowed by the license. You can only have one pool with MAX size in a stack.

Number: the number of bytes allowed by this license.

slaves slaveids that are members of this pool.

Returned as a list in Atom format. See example below.

slaves_usage_bytes Usage, in bytes, of slaves to this license.
stack_id Stack ID of the stack corresponding to this pool.
used_bytes Usage, in bytes, for this license pool.

POST licenser/pools method detail

Example

Request parameters
description String Description of this pool
Name Type Default Description
name
required
String The name of the license pool you are creating.
quota
required
String Defines the byte quota of this pool.

Valid values:

MAX: maximum amount allowed by the license. You can only have one pool with MAX size in a stack.

Number[MB|GB]: Specify a specific size. For example, 552428800, or simply specify 50MB.

slaves String Comma-separated list of slaveids that are members of this pool, or '*' to accept all slaves.

You can also specify a comma-separated list of guids to specify slaves that can connect to this pool.

stack_id
required
Enum Valid values: (download-trial | Enterprise | Forwarder | Free | Lite | Lite_Free)

Stack ID of the stack corresponding to this pool

Response data keys

None

[ Top ]



licenser/pools/{name}


https://<host>:<mPort>/services/licenser/pools/{name}

Authentication: Not required

Description

Manage the {name} license pool.

Method summary
Method Description Formats
DELETE Delete specified pool. XML, JSON
GET Lists details of the pool specified by {name}. XML, JSON
POST Edit properties of the pool specified by {name}. XML, JSON

DELETE licenser/pools/{name} method detail

Example

Request parameters

None

Response data keys

None

Application usage

Deleting pools is not supported for every pool. Certain stacks have fixed pools which cannot be deleted.


GET licenser/pools/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
description Description of the license pool.
quota The byte quota of this license pool.

MAX: maximum amount allowed by the license. You can only have one pool with MAX size in a stack.

Number: the number of bytes allowed by this license.

slaves slaveids that are members of this pool.

Returned as a list in Atom format. See example below.

slaves_usage_bytes Usage, in bytes, of slaves to this license.
stack_id Stack ID of the stack corresponding to this pool.
used_bytes Usage, in bytes, for this license pool.

POST licenser/pools/{name} method detail

Example

Request parameters
Name Type Default Description
append_slaves Boolean Flag which controls whether newly specified slaves is appended to existing slaves list or overwritten
description String Description of this pool
quota String Defines the byte quota of this pool.

Valid values:

MAX: maximum amount allowed by the license. You can only have one pool with MAX size in a stack.

Number[MB|GB]: Specify a specific size. For example, 552428800, or simply specify 50MB.

slaves String Comma-separated list of slaveids that are members of this pool, or '*' to accept all slaves.

You can also specify a comma-separated list of guids to specify slaves that can connect to this pool.

Response data keys

None

[ Top ]



licenser/slaves


https://<host>:<mPort>/services/licenser/slaves

Authentication: Not required

Description

Provides access to slaves reporting to this license master.

Method summary
Method Description Formats
GET List all slaves registered to this license master. XML, JSON

GET licenser/slaves method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
label Plain text name for the license slave.
pool_ids License pools for which this license slave is a member.
stack_ids License stacks for which this license slave is a member.
warning_count Number of license warnings issued for this license slave.
Application usage

Any slave that attempts to connect to master is reported, regardless of whether it is allocated to a master licenser pool.

[ Top ]



licenser/slaves/{name}


https://<host>:<mPort>/services/licenser/slaves/{name}

Authentication: Not required

Description

Get {name} licenser slave license information.

Method summary
Method Description Formats
GET List attributes of slave specified by {name}. XML, JSON

GET licenser/slaves/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
label Plain text name for the license slave.
pool_ids License pools for which this license slave is a member.
stack_ids License stacks for which this license slave is a member.
warning_count Number of license warnings issued for this license slave.

[ Top ]



licenser/stacks


https://<host>:<mPort>/services/licenser/stacks

Authentication: Not required

Description

Provides access to the license stack configuration.

A license stack is comprised of one or more licenses of the same "type". The daily indexing quota of a license stack is additive, so a stack represents the aggregate entitlement for a collection of licenses.

Method summary
Method Description Formats
GET Enumerate all license stacks. XML, JSON

GET licenser/stacks method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
label The name of this license stack.
quota The byte quota of this license stack. This value is the sum of the byte quota for all the licenses in the license stack.
type Any additional information about the type of this license stack.

[ Top ]



licenser/stacks/{name}


https://<host>:<mPort>/services/licenser/stacks/{name}

Authentication: Not required

Description

Get {name} license stack information.

Method summary
Method Description Formats
GET Retrieve details of specific license stacks. XML, JSON

GET licenser/stacks/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
label The name of this license stack.
quota The byte quota of this license stack. This value is the sum of the byte quota for all the licenses in the license stack.
type Any additional information about the type of this license stack.
Application usage

A license stack is comprised of one or more licenses of the same "type". The daily indexing quota of a license stack is additive, so a stack represents the aggregate entitlement for a collection of licenses.

[ Top ]

licenser/usage


https://<host>:<mPort>/services/licenser/usage

Authentication: Required

Description

Provides current license usage stats from the last minute.

Method summary
Method Description Formats
GET Enumerate license usage information from the last minute. XML, JSON

GET licenser/usage method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
quota The byte quota of this license stack. This value is the sum of the byte quota for all the licenses in the active license group.
slaves_usage_bytes Slave usage bytes across all pools that are within the active license group.

[ Top ]



[ Top ]

License endpoint examples

licenser/groups GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/licenser/groups
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>groups</title>
 <id>https://localhost:8089/services/licenser/groups</id>
 <updated>2011-07-11T09:45:35-07:00</updated>
 <generator version="102824"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>Enterprise</title>
   <id>https://localhost:8089/services/licenser/groups/Enterprise</id>
   <updated>2011-07-11T09:45:35-07:00</updated>
   <link href="/services/licenser/groups/Enterprise" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/licenser/groups/Enterprise" rel="list"/>
   <link href="/services/licenser/groups/Enterprise" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       ... eai:acl node elided ...
       <s:key name="is_active">1</s:key>
       <s:key name="stack_ids">
         <s:list>
           <s:item>enterprise</s:item>
         </s:list>
       </s:key>
     </s:dict>
   </content>
 </entry>

</feed>


licenser/groups/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/licenser/groups/Forwarder
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>groups</title>
 <id>https://localhost:8089/services/licenser/groups</id>
 <updated>2011-07-11T09:47:18-07:00</updated>
 <generator version="102824"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>Forwarder</title>
   <id>https://localhost:8089/services/licenser/groups/Forwarder</id>
   <updated>2011-07-11T09:47:18-07:00</updated>
   <link href="/services/licenser/groups/Forwarder" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/licenser/groups/Forwarder" rel="list"/>
   <link href="/services/licenser/groups/Forwarder" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       ... eai:acl node elided ...
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list>
               <s:item>is_active</s:item>
             </s:list>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="is_active">0</s:key>
       <s:key name="stack_ids">
         <s:list>
           <s:item>forwarder</s:item>
         </s:list>
       </s:key>
     </s:dict>
   </content>
 </entry>

</feed>


licenser/groups/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/licenser/groups/Enterprise -d is_active=1
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>groups</title>
 <id>https://localhost:8089/services/licenser/groups</id>
 <updated>2011-07-11T09:55:02-07:00</updated>
 <generator version="102824"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>

</feed>


licenser/licenses GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/licenser/licenses
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>licenses</title>
 <id>https://localhost:8089/services/licenser/licenses</id>
 <updated>2011-07-11T09:30:33-07:00</updated>
 <generator version="102824"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/licenser/licenses/_new" rel="create"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>E08B ... elided ...FA75BF</title>
   <id>https://localhost:8089/services/licenser/licenses/E08B ... elided ...FA75BF</id>
   <updated>2011-07-11T09:30:33-07:00</updated>
   <link href="/services/licenser/licenses/E08B ... elided ...FA75BF" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/licenser/licenses/E08B ... elided ...FA75BF" rel="list"/>
   <link href="/services/licenser/licenses/E08B ... elided ...FA75BF" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="creation_time">1309852804</s:key>
       ... eai:acl node elided ...
       <s:key name="expiration_time">1315641604</s:key>
       <s:key name="features">
         <s:list>
           <s:item>Auth</s:item>
           <s:item>FwdData</s:item>
           <s:item>RcvData</s:item>
           <s:item>LocalSearch</s:item>
           <s:item>DistSearch</s:item>
           <s:item>RcvSearch</s:item>
           <s:item>ScheduledSearch</s:item>
           <s:item>Alerting</s:item>
           <s:item>DeployClient</s:item>
           <s:item>DeployServer</s:item>
           <s:item>SplunkWeb</s:item>
           <s:item>SigningProcessor</s:item>
           <s:item>SyslogOutputProcessor</s:item>
           <s:item>AllowDuplicateKeys</s:item>
         </s:list>
       </s:key>
       <s:key name="group_id">Trial</s:key>
       <s:key name="label">Splunk Enterprise Download Trial</s:key>
       <s:key name="license_hash">E08B ... elided ...FA75BF</s:key>
       <s:key name="max_violations">5</s:key>
       <s:key name="quota">524288000</s:key>
       <s:key name="sourcetypes">
         <s:list/>
       </s:key>
       <s:key name="stack_id">download-trial</s:key>
       <s:key name="status">VALID</s:key>
       <s:key name="type">download-trial</s:key>
       <s:key name="window_period">30</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


licenser/licenses POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/licenser/licenses -d name=/Users/myusername/downloads/Splunk_enterprise.lic
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>licenses</title>
 <id>https://localhost:8089/services/licenser/licenses</id>
 <updated>2011-07-11T09:41:32-07:00</updated>
 <generator version="102824"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/licenser/licenses/_new" rel="create"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>CF6C50 ... elided ...72CE6C</title>
   <id>https://localhost:8089/services/licenser/licenses/CF6C50 ... elided ...72CE6C</id>
   <updated>2011-07-11T09:41:32-07:00</updated>
   <link href="/services/licenser/licenses/CF6C50 ... elided ...72CE6C" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/licenser/licenses/CF6C50 ... elided ...72CE6C" rel="list"/>
   <link href="/services/licenser/licenses/CF6C50 ... elided ...72CE6C" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="creation_time">1306168427</s:key>
       ... eai:acl node elided ...
       <s:key name="expiration_time">2147483647</s:key>
       <s:key name="features">
         <s:list>
           <s:item>Auth</s:item>
           <s:item>FwdData</s:item>
           <s:item>RcvData</s:item>
           <s:item>LocalSearch</s:item>
           <s:item>DistSearch</s:item>
           <s:item>RcvSearch</s:item>
           <s:item>ScheduledSearch</s:item>
           <s:item>Alerting</s:item>
           <s:item>DeployClient</s:item>
           <s:item>DeployServer</s:item>
           <s:item>SplunkWeb</s:item>
           <s:item>SigningProcessor</s:item>
           <s:item>SyslogOutputProcessor</s:item>
           <s:item>CanBeRemoteMaster</s:item>
         </s:list>
       </s:key>
       <s:key name="group_id">Enterprise</s:key>
       <s:key name="label">Splunk Enterprise</s:key>
       <s:key name="license_hash">CF6C50 ... elided ...72CE6C</s:key>
       <s:key name="max_violations">5</s:key>
       <s:key name="quota">10737418240</s:key>
       <s:key name="sourcetypes">
         <s:list/>
       </s:key>
       <s:key name="stack_id">enterprise</s:key>
       <s:key name="status">VALID</s:key>
       <s:key name="type">enterprise</s:key>
       <s:key name="window_period">30</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


licenser/licenses/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/services/licenser/licenses/E4BF ... elided ...FC639D
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

xmlns:s="http://dev.splunk.com/ns/rest&quot;
 xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>licenses</title>
 <id>https://localhost:8089/services/licenser/licenses</id>
 <updated>2011-07-07T09:45:12-07:00</updated>
 <generator version="102824"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/licenser/licenses/_new" rel="create"/>
 <opensearch:totalResults>0</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>

</feed>


licenser/licenses/{name} GET

XML
XML Request

curl -k -u admin:pass https://127.0.0.1:3339/services/licenser/licenses/E4BF ... elided ...FC639D
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>licenses</title>
 <id>https://localhost:8089/services/licenser/licenses</id>
 <updated>2011-07-05T15:57:08-07:00</updated>
 <generator version="102824"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/licenser/licenses/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>E4BF ... elided ...FC639D</title>
   <id>https://localhost:8089/services/licenser/licenses/E4BF ... elided ...FC639D</id>
   <updated>2011-07-05T15:57:08-07:00</updated>
   <link href="/services/licenser/licenses/E4BF ... elided ...FC639D" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/licenser/licenses/E4BF ... elided ...FC639D" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="creation_time">1300901512</s:key>
       <s:key name="eai:acl"> ... elided ...</s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="expiration_time">1314811912</s:key>
       <s:key name="features">
         <s:list>
           <s:item>Auth</s:item>
           <s:item>FwdData</s:item>
           <s:item>RcvData</s:item>
           <s:item>LocalSearch</s:item>
           <s:item>DistSearch</s:item>
           <s:item>RcvSearch</s:item>
           <s:item>ScheduledSearch</s:item>
           <s:item>Alerting</s:item>
           <s:item>DeployClient</s:item>
           <s:item>DeployServer</s:item>
           <s:item>SplunkWeb</s:item>
           <s:item>SigningProcessor</s:item>
           <s:item>SyslogOutputProcessor</s:item>
           <s:item>AllowDuplicateKeys</s:item>
           <s:item>CanBeRemoteMaster</s:item>
         </s:list>
       </s:key>
       <s:key name="group_id">Enterprise</s:key>
       <s:key name="label">Splunk Internal License</s:key>
       <s:key name="license_hash">E4BF ... elided ...FC639D</s:key>
       <s:key name="max_violations">5</s:key>
       <s:key name="quota">10737418240</s:key>
       <s:key name="sourcetypes"><s:list/></s:key>
       <s:key name="stack_id">enterprise</s:key>
       <s:key name="status">VALID</s:key>
       <s:key name="type">enterprise</s:key>
       <s:key name="window_period">30</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


licenser/localslave GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/licenser/localslave
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>localslave</title>
 <id>https://localhost:8089/services/licenser/localslave</id>
 <updated>2014-09-08T11:30:21-07:00</updated>
 <generator build="221120" version="6.2"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>license</title>
   <id>https://localhost:8089/services/licenser/localslave/license</id>
   <updated>2014-09-08T11:30:21-07:00</updated>
   <link href="/services/licenser/localslave/license" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/licenser/localslave/license" rel="list"/>
   <link href="/services/licenser/localslave/license" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="add_ons">
         <s:dict>
           <s:key name="hadoop">
             <s:dict>
               <s:key name="parameters">
                 <s:dict>
                   <s:key name="erp_type">report</s:key>
                   <s:key name="maxNodes">10</s:key>
                 </s:dict>
               </s:key>
               <s:key name="type">external_results_provider</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="connection_timeout">30</s:key>
       <s:key name="eai:acl"> ... elided ... </s:key>
       <s:key name="features">
         <s:dict>
           <s:key name="Acceleration">ENABLED</s:key>
           <s:key name="AdvancedSearchCommands">ENABLED</s:key>
           <s:key name="AdvancedXML">ENABLED</s:key>
           <s:key name="Alerting">ENABLED</s:key>
           <s:key name="AllowDuplicateKeys">ENABLED</s:key>
           <s:key name="Auth">ENABLED</s:key>
           <s:key name="CanBeRemoteMaster">ENABLED</s:key>
           <s:key name="CustomRoles">ENABLED</s:key>
           <s:key name="DeployClient">ENABLED</s:key>
           <s:key name="DeployServer">ENABLED</s:key>
           <s:key name="DistSearch">ENABLED</s:key>
           <s:key name="FwdData">ENABLED</s:key>
           <s:key name="GuestPass">ENABLED</s:key>
           <s:key name="KVStore">ENABLED</s:key>
           <s:key name="LDAPAuth">ENABLED</s:key>
           <s:key name="LocalSearch">ENABLED</s:key>
           <s:key name="MultisiteClustering">ENABLED</s:key>
           <s:key name="NontableLookups">ENABLED</s:key>
           <s:key name="RcvData">ENABLED</s:key>
           <s:key name="RcvSearch">ENABLED</s:key>
           <s:key name="ResetWarnings">DISABLED_DUE_TO_LICENSE</s:key>
           <s:key name="RollingWindowAlerts">ENABLED</s:key>
           <s:key name="ScheduledAlerts">ENABLED</s:key>
           <s:key name="ScheduledReports">ENABLED</s:key>
           <s:key name="ScheduledSearch">ENABLED</s:key>
           <s:key name="SearchheadPooling">ENABLED</s:key>
           <s:key name="SigningProcessor">ENABLED</s:key>
           <s:key name="SplunkWeb">ENABLED</s:key>
           <s:key name="SyslogOutputProcessor">ENABLED</s:key>
           <s:key name="UnisiteClustering">ENABLED</s:key>
         </s:dict>
       </s:key>
       <s:key name="last_master_contact_attempt_time">1410201013</s:key>
       <s:key name="last_master_contact_success_time">1410201013</s:key>
       <s:key name="last_trackerdb_service_time">0</s:key>
       <s:key name="license_keys">
         <s:list>
           <s:item>4467A79214BACAD9BB01F28193D6E15129DADC3B99D69D78884D4D68D2DDE750</s:item>
         </s:list>
       </s:key>
       <s:key name="master_guid">9CBD8473-4E7D-4FF2-A042-050C5C27C298</s:key>
       <s:key name="master_uri">self</s:key>
       <s:key name="receive_timeout">30</s:key>
       <s:key name="send_timeout">30</s:key>
       <s:key name="slave_id">9CBD8473-4E7D-4FF2-A042-050C5C27C298</s:key>
       <s:key name="slave_label">MY MACHINE</s:key>
       <s:key name="squash_threshold">2000</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


licenser/messages GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/licenser/messages
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>licensermessages</title>
 <id>https://localhost:8089/services/licenser/messages</id>
 <updated>2011-08-02T03:50:46-07:00</updated>
 <generator version="105103"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>70a19a5cfe6d7c2a678089638dee7bea</title>
   <id>https://localhost:8089/services/licenser/messages/70a19a5cfe6d7c2a678089638dee7bea</id>
   <updated>2011-08-02T03:50:46-07:00</updated>
   <link href="/services/licenser/messages/70a19a5cfe6d7c2a678089638dee7bea" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/licenser/messages/70a19a5cfe6d7c2a678089638dee7bea" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="category">pool_warning_count</s:key>
       <s:key name="create_time">1312282230</s:key>
       <s:key name="description">This pool contains slave(s) with 3 warnings</s:key>
       ... eai:acl node elided ...
       <s:key name="pool_id"/>
       <s:key name="severity">WARN</s:key>
       <s:key name="slave_id"/>
       <s:key name="stack_id"/>
     </s:dict>
   </content>
 </entry>

</feed>


licenser/messages/{name} GET

XML
XML Request

curl -k -u admin:pass https://127.0.0.1:3339/services/licenser/messages/2702b33a1bd369ae9209a9ecf4cb39db
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
   <title>licensermessages</title>
   <id>https://127.0.0.1:3339/services/licenser/messages</id>
   <updated>2011-05-16T21:45:17-07:00</updated>
   <generator version="99678"/>
   <author>
       <name>Splunk</name>
   </author>
   <opensearch:totalResults>1</opensearch:totalResults>
   <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
   <opensearch:startIndex>0</opensearch:startIndex>
   <s:messages/>
   <entry>
       <title>2702b33a1bd369ae9209a9ecf4cb39db</title>
       <id>https://127.0.0.1:3339/services/licenser/messages/2702b33a1bd369ae9209a9ecf4cb39db</id>
       <updated>2011-05-16T21:45:17-07:00</updated>
       <link href="/services/licenser/messages/2702b33a1bd369ae9209a9ecf4cb39db" rel="alternate"/>
       <author>
           <name>system</name>
       </author>
       <link href="/services/licenser/messages/2702b33a1bd369ae9209a9ecf4cb39db" rel="list"/>
       <content type="text/xml">
           <s:dict>
               <s:key name="category">license_window</s:key>
               <s:key name="create_time">1305607136</s:key>
               <s:key name="description">test warnings</s:key>
               <s:key name="eai:acl">... elided ...</s:key>
               <s:key name="eai:attributes">
                   <s:dict>
                       <s:key name="optionalFields">
                           <s:list/>
                       </s:key>
                       <s:key name="requiredFields">
                           <s:list/>
                       </s:key>
                       <s:key name="wildcardFields">
                           <s:list/>
                       </s:key>
                   </s:dict>
               </s:key>
               <s:key name="pool_id"/>
               <s:key name="severity">WARN</s:key>
               <s:key name="slave_id"/>
               <s:key name="stack_id"/>
           </s:dict>
       </content>
   </entry>

</feed>


licenser/pools GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/licenser/pools
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>pools</title>
 <id>https://localhost:8089/services/licenser/pools</id>
 <updated>2011-07-08T10:55:18-07:00</updated>
 <generator version="102824"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/licenser/pools/_new" rel="create"/>
 <link href="/services/licenser/pools/_reload" rel="_reload"/>
 <opensearch:totalResults>4</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 ... elided ...
 <entry>
   <title>auto_generated_pool_enterprise</title>
   <id>https://localhost:8089/servicesNS/nobody/system/licenser/pools/auto_generated_pool_enterprise</id>
   <updated>2011-07-08T10:55:18-07:00</updated>
   <link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_enterprise" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_enterprise" rel="list"/>
   <link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_enterprise/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_enterprise" rel="edit"/>
   <link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_enterprise" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="description">auto_generated_pool_enterprise</s:key>
       <s:key name="eai:acl"> ... elided ...</s:key>
       <s:key name="quota">MAX</s:key>
       <s:key name="slaves"><s:list><s:item>*</s:item></s:list></s:key>
       <s:key name="slaves_usage_bytes">
         <s:dict><s:key name="1F3A34AE-75DA-4680-B184-5BF309843919">26445659</s:key></s:dict>
       </s:key>
       <s:key name="stack_id">enterprise</s:key>
       <s:key name="used_bytes">26445659</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>auto_generated_pool_forwarder</title>
   <id>https://localhost:8089/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder</id>
   <updated>2011-07-08T10:55:18-07:00</updated>
   <link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder" rel="list"/>
   <link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder" rel="edit"/>
   <link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="description">auto_generated_pool_forwarder</s:key>
      <s:key name="eai:acl"> ... elided ...</s:key>
       <s:key name="quota">MAX</s:key>
       <s:key name="slaves"><s:list><s:item>*</s:item></s:list></s:key>
       <s:key name="slaves_usage_bytes"></s:key>
       <s:key name="stack_id">forwarder</s:key>
       <s:key name="used_bytes">0</s:key>
     </s:dict>
   </content>
 </entry>
 ... elided ...

</feed>


licenser/pools POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/licenser/pools -d name=myLicensePool -d quota=MAX -d slaves=* -d stack_id=enterprise
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>pools</title>
 <id>https://localhost:8089/services/licenser/pools</id>
 <updated>2011-07-08T11:31:47-07:00</updated>
 <generator version="102824"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/licenser/pools/_new" rel="create"/>
 <link href="/services/licenser/pools/_reload" rel="_reload"/>
 <opensearch:totalResults>0</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>

</feed>


licenser/pools/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/services/licenser/pools/auto_generated_pool_enterprise
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>pools</title>
 <id>https://localhost:8089/services/licenser/pools</id>
 <updated>2011-07-08T11:29:26-07:00</updated>
 <generator version="102824"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/licenser/pools/_new" rel="create"/>
 <link href="/services/licenser/pools/_reload" rel="_reload"/>
 <opensearch:totalResults>0</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>

</feed>


licenser/pools/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/licenser/pools/auto_generated_pool_forwarder
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>pools</title>
 <id>https://localhost:8089/services/licenser/pools</id>
 <updated>2011-07-08T11:03:37-07:00</updated>
 <generator version="102824"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/licenser/pools/_new" rel="create"/>
 <link href="/services/licenser/pools/_reload" rel="_reload"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>auto_generated_pool_forwarder</title>
   <id>https://localhost:8089/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder</id>
   <updated>2011-07-08T11:03:37-07:00</updated>
   <link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder" rel="list"/>
   <link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder" rel="edit"/>
   <link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="description">auto_generated_pool_forwarder</s:key>
       <s:key name="eai:acl"> ... elided ...</s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list>
               <s:item>append_slaves</s:item>
               <s:item>description</s:item>
               <s:item>quota</s:item>
               <s:item>slaves</s:item>
             </s:list>
           </s:key>
           <s:key name="requiredFields">
             <s:list/></s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="quota">MAX</s:key>
       <s:key name="slaves"><s:list><s:item>*</s:item></s:list></s:key>
       <s:key name="slaves_usage_bytes"></s:key>
       <s:key name="stack_id">forwarder</s:key>
       <s:key name="used_bytes">0</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


licenser/pools/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/licenser/pools/myLicensePool -d quota=50MB
XML Response
... elided ...
 <entry>
   <title>myLicensePool</title>
   <id>https://localhost:8085/servicesNS/nobody/system/licenser/pools/myLicensePool</id>
   <updated>2011-07-24T08:46:49-07:00</updated>
   <link href="/servicesNS/nobody/system/licenser/pools/myLicensePool" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/licenser/pools/myLicensePool" rel="list"/>
   <link href="/servicesNS/nobody/system/licenser/pools/myLicensePool/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/licenser/pools/myLicensePool" rel="edit"/>
   <link href="/servicesNS/nobody/system/licenser/pools/myLicensePool" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="description"></s:key>
       ... eai:acl node elided ...
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list>
               <s:item>append_slaves</s:item>
               <s:item>description</s:item>
               <s:item>quota</s:item>
               <s:item>slaves</s:item>
             </s:list>
           </s:key>
           <s:key name="requiredFields">
             <s:list/></s:key>
           <s:key name="wildcardFields">
             <s:list/></s:key>
         </s:dict>
       </s:key>
       <s:key name="quota">552428800</s:key>
       <s:key name="slaves"><s:list><s:item>*</s:item></s:list></s:key>
       <s:key name="slaves_usage_bytes">
         <s:dict>
           <s:key name="1F3A34AE-75DA-4680-B184-5BF309843919">39846322</s:key>
         </s:dict>
       </s:key>
       <s:key name="stack_id">enterprise</s:key>
       <s:key name="used_bytes">39846322</s:key>
     </s:dict>
   </content>
 </entry>

licenser/slaves GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/licenser/slaves
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

xmlns:s="http://dev.splunk.com/ns/rest&quot;
 xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>slaves</title>
 <id>https://localhost:8089/services/licenser/slaves</id>
 <updated>2011-05-17T09:37:54-07:00</updated>
 <generator version="99849"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>74A43C7E-C33C-41F6-B027-E603D2C3FE68</title>
   <id>https://localhost:8089/servicesNS/nobody/system/licenser/slaves/74A43C7E-C33C-41F6-B027-E603D2C3FE68</id>
   <updated>2011-05-17T09:37:54-07:00</updated>
   <link href="/servicesNS/nobody/system/licenser/slaves/74A43C7E-C33C-41F6-B027-E603D2C3FE68" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/licenser/slaves/74A43C7E-C33C-41F6-B027-E603D2C3FE68" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app">system</s:key>
           <s:key name="can_write">1</s:key>
             <s:key name="modifiable">0</s:key>
           <s:key name="owner">nobody</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="label">thething-vishalp</s:key>
       <s:key name="pool_ids">
         <s:list>
           <s:item>auto_generated_pool_enterprise</s:item>
           <s:item>auto_generated_pool_forwarder</s:item>
           <s:item>auto_generated_pool_free</s:item>
         </s:list>
       </s:key>
       <s:key name="stack_ids">
         <s:list>
           <s:item>enterprise</s:item>
           <s:item>forwarder</s:item>
           <s:item>free</s:item>
         </s:list>
       </s:key>
       <s:key name="warning_count">0</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


licenser/slaves/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/licenser/slaves/74A43C7E-C33C-41F6-B027-E603D2C3FE68
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

  xmlns:s="http://dev.splunk.com/ns/rest&quot;
   xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>slaves</title>
 <id>https://127.0.0.1:8282/services/licenser/slaves</id>
 <updated>2011-05-17T09:44:10-07:00</updated>
 <generator version="99849"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>74A43C7E-C33C-41F6-B027-E603D2C3FE68</title>
   <id>https://127.0.0.1:8282/servicesNS/nobody/system/licenser/slaves/74A43C7E-C33C-41F6-B027-E603D2C3FE68</id>
   <updated>2011-05-17T09:44:10-07:00</updated>
   <link href="/servicesNS/nobody/system/licenser/slaves/74A43C7E-C33C-41F6-B027-E603D2C3FE68" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/licenser/slaves/74A43C7E-C33C-41F6-B027-E603D2C3FE68" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app">system</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">nobody</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="label">thething-vishalp</s:key>
       <s:key name="pool_ids">
         <s:list>
           <s:item>auto_generated_pool_enterprise</s:item>
           <s:item>auto_generated_pool_forwarder</s:item>
           <s:item>auto_generated_pool_free</s:item>
         </s:list>
       </s:key>
       <s:key name="stack_ids">
         <s:list>
           <s:item>enterprise</s:item>
           <s:item>forwarder</s:item>
           <s:item>free</s:item>
         </s:list>
       </s:key>
       <s:key name="warning_count">0</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


licenser/stacks GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/licenser/stacks
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>stacks</title>
 <id>https://localhost:8089/services/licenser/stacks</id>
 <updated>2011-07-08T10:37:33-07:00</updated>
 <generator version="102824"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>4</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>download-trial</title>
   <id>https://localhost:8089/services/licenser/stacks/download-trial</id>
   <updated>2011-07-08T10:37:33-07:00</updated>
   <link href="/services/licenser/stacks/download-trial" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/licenser/stacks/download-trial" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">... elided ...</s:key>
       <s:key name="label">Splunk Enterprise Download Trial</s:key>
       <s:key name="quota">524288000</s:key>
       <s:key name="type">download-trial</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>enterprise</title>
   <id>https://localhost:8089/services/licenser/stacks/enterprise</id>
   <updated>2011-07-08T10:37:33-07:00</updated>
   <link href="/services/licenser/stacks/enterprise" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/licenser/stacks/enterprise" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">... elided ...</s:key>
       <s:key name="label">Splunk Internal License</s:key>
       <s:key name="quota">10737418240</s:key>
       <s:key name="type">enterprise</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>forwarder</title>
   <id>https://localhost:8089/services/licenser/stacks/forwarder</id>
   <updated>2011-07-08T10:37:33-07:00</updated>
   <link href="/services/licenser/stacks/forwarder" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/licenser/stacks/forwarder" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">... elided ...</s:key>
       <s:key name="label">Splunk Forwarder</s:key>
       <s:key name="quota">1048576</s:key>
       <s:key name="type">forwarder</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>free</title>
   <id>https://localhost:8089/services/licenser/stacks/free</id>
   <updated>2011-07-08T10:37:33-07:00</updated>
   <link href="/services/licenser/stacks/free" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/licenser/stacks/free" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">... elided ...</s:key>
       <s:key name="label">Splunk Free</s:key>
       <s:key name="quota">524288000</s:key>
       <s:key name="type">free</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


licenser/stacks/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/enterprise
XML Response

span style="color: #008000; font-weight: bold"><feed</span> xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>stacks</title>
 <id>https://localhost:8089/services/licenser/stacks</id>
 <updated>2011-07-08T10:42:44-07:00</updated>
 <generator version="102824"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>enterprise</title>
   <id>https://localhost:8089/services/licenser/stacks/enterprise</id>
   <updated>2011-07-08T10:42:44-07:00</updated>
   <link href="/services/licenser/stacks/enterprise" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/licenser/stacks/enterprise" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:attributes"> ... elided ...</s:key>
       <s:key name="label">Splunk Internal License</s:key>
       <s:key name="quota">10737418240</s:key>
       <s:key name="type">enterprise</s:key>
     </s:dict>
   </content>
 </entry>

</feed>

licenser/usage GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/licenser/usage
XML Response

<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>licenseusage</title>
  <id>https://localhost:8089/services/licenser/usage</id>
  <updated>2015-06-03T11:46:10-07:00</updated>
  <generator build="6cfc0237739f" version="6.3.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/licenser/usage/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>license_usage</title>
    <id>https://localhost:8089/services/licenser/usage/license_usage</id>
    <updated>2015-06-03T11:46:10-07:00</updated>
    <link href="/services/licenser/usage/license_usage" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/licenser/usage/license_usage" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="quota">214748364800</s:key>
        <s:key name="slaves_usage_bytes">0</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

Output endpoints

Output endpoint descriptions

Manage data from Splunk Enterprise forwarders.

[ Top ]



data/outputs/tcp/default


https://<host>:<mPort>/services/data/outputs/tcp/default

Authentication: Not required

Description

Provides access to global TCP out properties.

Method summary
Method Description Formats
GET Returns the current tcpout properties. XML, JSON
POST Configures global tcpout properties. XML, JSON

GET data/outputs/tcp/default method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
autoLB Specifies whether Auto Load balance method is used.
defaultGroup Target group names. The forwarder sends all data to the specified groups.

Starting with 4.2, this attribute is no longer required.

disabled Indicates if tcpout settings are disabled.
forwardedindex.0.whitelist Specifies 0th whitelist filter.

forwardedindex.<n>.whitelist decides which events get forwarded based on the indexes they belong to.

forwardedindex.1.blacklist Specifies 1st blacklist filter. forwardedindex.<n>.blacklist specifies index for which events are not forwarded.
forwardedindex.2.whitelist Specifies 2nd whitelist filter.

forwardedindex.<n>.whitelist decides which events get forwarded based on the indexes they belong to.

forwardedindex.filter.disable Specifies whether filtering of forwarded data based on index is diasbled.
indexAndForward Specifies whether to index all data locally, in addition to forwarding it. Defaults to false.

This is known as an "index-and-forward" configuration. This attribute is only available for heavy forwarders. It is available only at the top level [tcpout] stanza in outputs.conf. It cannot be overridden in a target group.

maxQueueSize Sets the maximum size of the forwarder output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).

See the parmeter description for the POST operation for more information.


POST data/outputs/tcp/defaultx method detail

Example

Request parameters
Name Type Default Description
defaultGroup String Comma-separated list of one or more target group names, specified later in [tcpout:<target_group>] stanzas of outputs.conf.spec file.

The forwarder sends all data to the specified groups. If you do not want to forward data automatically, do not set this attribute. Can be overridden by an inputs.conf _TCP_ROUTING setting, which in turn can be overridden by a props.conf/transforms.conf modifier.

Starting with 4.2, this attribute is no longer required.

disabled Boolean Disables default tcpout settings
dropEventsOnQueueFull Number If set to a positive number, wait the specified number of seconds before throwing out all new events until the output queue has space. Defaults to -1 (do not drop events).

CAUTION: Do not set this value to a positive integer if you are monitoring files.

Setting this to -1 or 0 causes the output queue to block when it gets full, which causes further blocking up the processing chain. If any target group queue is blocked, no more data reaches any other target group.

Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down (or jammed up) before queue blocking can occur.

heartbeatFrequency Number How often (in seconds) to send a heartbeat packet to the receiving server.

Heartbeats are only sent if sendCookedData=true. Defaults to 30 seconds.

indexAndForward Boolean Specifies whether to index all data locally, in addition to forwarding it. Defaults to false.

This is known as an "index-and-forward" configuration. This attribute is only available for heavy forwarders. It is available only at the top level [tcpout] stanza in outputs.conf. It cannot be overridden in a target group.

maxQueueSize Number Specify an integer or integer[KB|MB|GB].

Sets the maximum size of the forwarder output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).

Although the wait queue and the output queues are both configured by this attribute, they are separate queues. The setting determines the maximum size of the queue in-memory (RAM) buffer.

For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the queue on a parsing forwarder is likely to be much smaller than on a non-parsing forwarder, if you use this version of the setting.

If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For non-parsing forwarders, such as universal forwarders, that send unparsed data, maxQueueSize is the maximum number of data blocks.

If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), maxQueueSize indicates the maximum RAM allocated to the queue buffer. Defaults to 500KB (which means a maximum size of 500KB for the output queue and 1500KB for the wait queue, if any).

name
required
String Configuration to be edited. The only valid value is "tcpout".
sendCookedData Boolean If true, events are cooked (processed by Splunk Enterprise). If false, events are raw and untouched prior to sending. Defaults to true.

Set to false if you are sending to a third-party system.

Response data keys

None

[ Top ]



data/outputs/tcp/default/{name}


https://<host>:<mPort>/services/data/outputs/tcp/default/{name}

Authentication: Not required

Description

Manage forwarder settings.

Method summary
Method Description Formats
DELETE Disable the default forwarding settings. XML, JSON
GET Retrieve the named configuration. XML, JSON
POST Configure global forwarding properties. XML, JSON

DELETE data/outputs/tcp/default/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/outputs/tcp/default/{name} method detail

Example

Request parameters

None

Response data keys

None

Application usage

The only valid name here is "tcpout".


POST data/outputs/tcp/default/{name} method detail

Example

Request parameters
Name Type Default Description
defaultGroup String Comma-separated list of one or more target group names, specified later in [tcpout:<target_group>] stanzas of outputs.conf.spec file.

The forwarder sends all data to the specified groups. If you do not want to forward data automatically, do not set this attribute. Can be overridden by an inputs.conf _TCP_ROUTING setting, which in turn can be overridden by a props.conf/transforms.conf modifier.

Starting with 4.2, this attribute is no longer required.

disabled Boolean Disables default tcpout settings
dropEventsOnQueueFull Number If set to a positive number, wait the specified number of seconds before throwing out all new events until the output queue has space. Defaults to -1 (do not drop events).

CAUTION: Do not set this value to a positive integer if you are monitoring files.

Setting this to -1 or 0 causes the output queue to block when it gets full, which causes further blocking up the processing chain. If any target group queue is blocked, no more data reaches any other target group.

Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down (or jammed up) before queue blocking can occur.

heartbeatFrequency Number How often (in seconds) to send a heartbeat packet to the receiving server.

Heartbeats are only sent if sendCookedData=true. Defaults to 30 seconds.

indexAndForward Boolean Specifies whether to index all data locally, in addition to forwarding it. Defaults to false.

This is known as an "index-and-forward" configuration. This attribute is only available for heavy forwarders. It is available only at the top level [tcpout] stanza in outputs.conf. It cannot be overridden in a target group.

maxQueueSize Number Specify an integer or integer[KB|MB|GB].

Sets the maximum size of the forwarder output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).

Although the wait queue and the output queues are both configured by this attribute, they are separate queues. The setting determines the maximum size of the queue in-memory (RAM) buffer.

For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the queue on a parsing forwarder is likely to be much smaller than on a non-parsing forwarder, if you use this version of the setting.

If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For non-parsing forwarders, such as universal forwarders, that send unparsed data, maxQueueSize is the maximum number of data blocks.

If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), maxQueueSize indicates the maximum RAM allocated to the queue buffer. Defaults to 500KB (which means a maximum size of 500KB for the output queue and 1500KB for the wait queue, if any).

sendCookedData Boolean If true, events are cooked (processed by Splunk Enterprise). If false, events are raw and untouched prior to sending. Defaults to true.

Set to false if you are sending to a third-party system.

Response data keys

None

[ Top ]



data/outputs/tcp/group


https://<host>:<mPort>/services/data/outputs/tcp/group

Authentication: Not required

Description

Provides access to the configuration of a group of one or more data forwarding destinations.

Method summary
Method Description Formats
GET Returns configuration information about target groups. XML, JSON
POST Configures a group of one or more data forwarding destinations. XML, JSON

GET data/outputs/tcp/group method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
disabled Indicates if tcpout is disabled for this group.
method Specifies the type of output processor.

Valid values: (tcpout | syslog)

servers Servers included in this group.

POST data/outputs/tcp/group method detail

Example

Request parameters
Name Type Default Description
compressed Boolean false If true, forwarder sends compressed data.

If set to true, the receiver port must also have compression turned on.

disabled Boolean false If true, disables the group.
dropEventsOnQueueFull Number -1 If set to a positive number, wait the specified number of seconds before throwing out all new events until the output queue has space. Defaults to -1 (do not drop events).

CAUTION: Do not set this value to a positive integer if you are monitoring files.

Setting this to -1 or 0 causes the output queue to block when it gets full, which causes further blocking up the processing chain. If any target group queue is blocked, no more data reaches any other target group.

Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down (or jammed up) before queue blocking can occur.

heartbeatFrequency Number 30 How often (in seconds) to send a heartbeat packet to the group.

Heartbeats are only sent if sendCookedData=true. Defaults to 30 seconds.

maxQueueSize Number auto Specify either an integer or integer[KB|MB|GB].

Sets the maximum size of the forwarder output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).

Although the wait queue and the output queues are both configured by this attribute, they are separate queues. The setting determines the maximum size of the queue in-memory (RAM) buffer.

For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the queue on a parsing forwarder is likely to be much smaller than on a non-parsing forwarder, if you use this version of the setting.

If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For non-parsing forwarders, such as universal forwarders, that send unparsed data, maxQueueSize is the maximum number of data blocks.

If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), maxQueueSize indicates the maximum RAM allocated to the queue buffer. Defaults to 500KB (which means a maximum size of 500KB for the output queue and 1500KB for the wait queue, if any).

method Enum Valid values: (tcpout | syslog)

Specifies the type of output processor.

name
required
String The name of the group of receivers.
sendCookedData Boolean true If true, send cooked events (events processed by Splunk).

If false, events are raw and untouched prior to sending. Set to false if you are sending to a third-party system.

Defaults to true.

servers
required
String Comma-separated list of servers to include in the group.
Response data keys

None

[ Top ]



data/outputs/tcp/group/{name}


https://<host>:<mPort>/services/data/outputs/tcp/group/{name}

Authentication: Not required

Description

Manage the {name} target group.

Method summary
Method Description Formats
DELETE Deletes the target group specified by {name}. XML, JSON
GET Returns configuration information about the target group specified by {name}. XML, JSON
POST Updates the configuration of the target group. XML, JSON

DELETE data/outputs/tcp/group/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/outputs/tcp/group/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
autoLB Indicates if the forwarder performs automatic load balancing.

See the description for the autoLB parameter in POST data/outputs/tcp/group for details.

disabled Indicates if tcpout is disabled for this group.
method Specifies the type of output processor.

Valid values: (tcpout | syslog)

servers Servers included in this group.

POST data/outputs/tcp/group/{name} method detail

Example

Request parameters
Name Type Default Description
compressed Boolean false If true, forwarder sends compressed data.

If set to true, the receiver port must also have compression turned on.

disabled Boolean false If true, disables the group.
dropEventsOnQueueFull Number -1 If set to a positive number, wait the specified number of seconds before throwing out all new events until the output queue has space. Defaults to -1 (do not drop events).

CAUTION: Do not set this value to a positive integer if you are monitoring files.

Setting this to -1 or 0 causes the output queue to block when it gets full, which causes further blocking up the processing chain. If any target group queue is blocked, no more data reaches any other target group.

Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down (or jammed up) before queue blocking can occur.

heartbeatFrequency Number 30 How often (in seconds) to send a heartbeat packet to the group.

Heartbeats are only sent if sendCookedData=true. Defaults to 30 seconds.

maxQueueSize Number auto Specify either an integer or integer[KB|MB|GB].

Sets the maximum size of the forwarder output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).

Although the wait queue and the output queues are both configured by this attribute, they are separate queues. The setting determines the maximum size of the queue in-memory (RAM) buffer.

For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the queue on a parsing forwarder is likely to be much smaller than on a non-parsing forwarder, if you use this version of the setting.

If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For non-parsing forwarders, such as universal forwarders, that send unparsed data, maxQueueSize is the maximum number of data blocks.

If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), maxQueueSize indicates the maximum RAM allocated to the queue buffer. Defaults to 500KB (which means a maximum size of 500KB for the output queue and 1500KB for the wait queue, if any).

method Enum Valid values: (tcpout | syslog)

Specifies the type of output processor.

sendCookedData Boolean true If true, send cooked events (events processed by Splunk).

If false, events are raw and untouched prior to sending. Set to false if you are sending to a third-party system.

Defaults to true.

servers
required
String Comma-separated list of servers to include in the group.
Response data keys

None

[ Top ]



data/outputs/tcp/server


https://<host>:<mPort>/services/data/outputs/tcp/server

Authentication: Not required

Description

Provides access to data forwarding configurations.

Method summary
Method Description Formats
GET Lists existing forwarded servers. XML, JSON
POST Creates a new forwarder output. XML, JSON

GET data/outputs/tcp/server method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
destHost DNS name of the destination server.
destIp IP address of the destination server.
destPort Port on which the destination server is listening.
disabled Indicates if the outputs to the destination server is disabled.
method The data distribution method used when two or more servers exist in the same forwarder group.

Valid values: (clone | balance | autobalance)

sourcePort Port on destination server where data is forwarded.
status Indicates the status of the connection to the server.

POST data/outputs/tcp/server method detail

Example

Request parameters
Name Type Default Description
disabled Boolean If true, disables the forwarder.
method Enum Valid values: (clone | balance | autobalance)

The data distribution method used when two or more servers exist in the same forwarder group.

name
required
String <host>:<port> of the Splunk Enterprise receiver. <host> can be either an ip address or server name. <port> is the that port that the Splunk receiver is listening on.
sslAltNameToCheck String The alternate name to match in the remote server's SSL certificate.
sslCertPath String Path to the client certificate. If specified, connection uses SSL.
sslCipher String SSL Cipher in the form ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
sslCommonNameToCheck String Check the common name of the server's certificate against this name.

If there is no match, assume that Splunk Enterprise is not authenticated against this server. You must specify this setting if sslVerifyServerCert is true.

sslPassword String The password associated with the CAcert.

The default Splunk Enterprise CAcert uses the password "password."

sslRootCAPath String The path to the root certificate authority file (optional).
sslVerifyServerCert Boolean If true, make sure that the server you are connecting to is a valid one (authenticated). Both the common name and the alternate name of the server are then checked for a match.
Response data keys

None

[ Top ]



data/outputs/tcp/server/{name}


https://<host>:<mPort>/services/data/outputs/tcp/server/{name}

Authentication: Not required

Description

Manage the {name} forwarder.

Method summary
Method Description Formats
DELETE Deletes the configuration for the forwarded server specified by {name}. XML, JSON
GET Lists information aobut the forwarded server specified by {name}. XML, JSON
POST Configures the forwarded server specified by {name}. XML, JSON

DELETE data/outputs/tcp/server/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/outputs/tcp/server/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
disabled Indicates if the outputs to the destination server is disabled.
method The data distribution method used when two or more servers exist in the same forwarder group.

Valid values: (clone | balance | autobalance)


POST data/outputs/tcp/server/{name} method detail

Example

Request parameters
Name Type Default Description
disabled Boolean If true, disables the forwarder.
method Enum Valid values: (clone | balance | autobalance)

The data distribution method used when two or more servers exist in the same forwarder group.

sslAltNameToCheck String The alternate name to match in the remote server's SSL certificate.
sslCertPath String Path to the client certificate. If specified, connection uses SSL.
sslCipher String SSL Cipher in the form ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
sslCommonNameToCheck String Check the common name of the server's certificate against this name.

If there is no match, assume that Splunk Enterprise is not authenticated against this server. You must specify this setting if sslVerifyServerCert is true.

sslPassword String The password associated with the CAcert.

The default Splunk Enterprise CAcert uses the password "password."

sslRootCAPath String The path to the root certificate authority file (optional).
sslVerifyServerCert Boolean If true, make sure that the server you are connecting to is a valid one (authenticated). Both the common name and the alternate name of the server are then checked for a match.
Response data keys

None

[ Top ]



data/outputs/tcp/server/{name}/allconnections


https://<host>:<mPort>/services/data/outputs/tcp/server/{name}/allconnections

Authentication: Not required

Description

Get {name} forwarder connections.

Method summary
Method Description Formats
GET List current connections to forwarded server specified by {name} XML, JSON

GET data/outputs/tcp/server/{name}/allconnections method detail

Example

Request parameters

None

Response data keys
Name Description
destHost DNS name of the destination server.
destIp IP address of the destination server.
destPort Port on which the destination server is listening.
sourcePort Port on destination server where data is forwarded.
status Indicates the status of the connection to the server.

[ Top ]



data/outputs/tcp/syslog


https://<host>:<mPort>/services/data/outputs/tcp/syslog

Authentication: Not required

Description

Provides access to the configuration of a forwarded server configured to provide data in standard syslog format.

Method summary
Method Description Formats
GET Provides access to syslog data forwarding configurations. XML, JSON
POST Configures a forwarder to send data in standard syslog format. XML, JSON

GET data/outputs/tcp/syslog method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
disabled Specifies whether global syslog configuration is disabled.
server Specifies server:port where data is forwarded.
type Specifies whether tcp or udp is used to forward data. If unspecified, udp is used. Valid values : (tcp | udp).

POST data/outputs/tcp/syslog method detail

Example

Request parameters
Name Type Default Description
disabled Boolean If true, disables global syslog settings.
name
required
String Name of the syslog output group. This is name used when creating syslog configuration in outputs.conf.
priority Number Sets syslog priority value.

The priority value should specified as an integer. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec for details.

server String host:port of the server where syslog data should be sent
syslogSourceType String Specifies a rule for handling data in addition to that provided by the "syslog" sourcetype. By default, there is no value for syslogSourceType.

This string is used as a substring match against the sourcetype key. For example, if the string is set to 'syslog', then all source types containing the string "syslog" receives this special treatment.

To match a source type explicitly, use the pattern "sourcetype::sourcetype_name." For example

syslogSourcetype = sourcetype::apache_common

Data that is "syslog" or matches this setting is assumed to already be in syslog format.

Data that does not match the rules has a header, potentially a timestamp, and a hostname added to the front of the event. This is how Splunk Enterprise causes arbitrary log data to match syslog expectations.

timestampformat String Format of timestamp to add at start of the events to be forwarded.

The format is a strftime-style timestamp formatting string. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec for details.

type String Protocol to use to send syslog data. Valid values: (tcp | udp ).
Response data keys

None

[ Top ]



data/outputs/tcp/syslog/{name}


https://<host>:<mPort>/services/data/outputs/tcp/syslog/{name}

Authentication: Not required

Description

Manage configuration for the {name} forwarder.

Method summary
Method Description Formats
DELETE Deletes the configuration for the forwarder specified by {name} that sends data in syslog format. XML, JSON
GET Returns configuration information for the forwarder specified by {name} that sends data in standard syslog format XML, JSON
POST Updates the configuration of the forwarder specified by {name} that sends data in syslog format. XML, JSON

DELETE data/outputs/tcp/syslog/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/outputs/tcp/syslog/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
disabled Specifies whether global syslog configuration is disabled.
server Specifies server:port where data is forwarded.
type Specifies whether tcp or udp is used to forward data. If unspecified, udp is used. Valid values : (tcp | udp).

POST data/outputs/tcp/syslog/{name} method detail

Example

Request parameters
Name Type Default Description
disabled Boolean If true, disables global syslog settings.
priority Number Sets syslog priority value.

The priority value should specified as an integer. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec for details.

server String host:port of the server where syslog data should be sent
syslogSourceType String Specifies a rule for handling data in addition to that provided by the "syslog" sourcetype. By default, there is no value for syslogSourceType.

This string is used as a substring match against the sourcetype key. For example, if the string is set to 'syslog', then all source types containing the string "syslog" receives this special treatment.

To match a source type explicitly, use the pattern "sourcetype::sourcetype_name." For example

syslogSourcetype = sourcetype::apache_common

Data that is "syslog" or matches this setting is assumed to already be in syslog format.

Data that does not match the rules has a header, potentially a timestamp, and a hostname added to the front of the event. This is how Splunk Enterprise causes arbitrary log data to match syslog expectations.

timestampformat String Format of timestamp to add at start of the events to be forwarded.

The format is a strftime-style timestamp formatting string. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec for details.

type String Protocol to use to send syslog data. Valid values: (tcp | udp ).
Response data keys

None

[ Top ]

Output endpoint examples

data/outputs/tcp/default GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/default
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>tcpout-default</title>
 <id>https://localhost:8089/services/data/outputs/tcp/default</id>
 <updated>2011-07-10T22:38:23-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/default/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/default/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>tcpout</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/default/tcpout</id>
   <updated>2011-07-10T22:38:23-07:00</updated>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="list"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="remove"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="autoLB">1</s:key>
       <s:key name="defaultGroup">spacecake_9998</s:key>
       <s:key name="disabled">0</s:key>
       ... eai:acl nodes elided ...
       <s:key name="forwardedindex.0.whitelist">.*</s:key>
       <s:key name="forwardedindex.1.blacklist">_.*</s:key>
       <s:key name="forwardedindex.2.whitelist">_audit</s:key>
       <s:key name="forwardedindex.filter.disable">0</s:key>
       <s:key name="indexAndForward">0</s:key>
       <s:key name="maxQueueSize">500KB</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


data/outputs/tcp/default POST

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/default/tcpout -d 'defaultGroup=myIndexers'
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>tcpout-default</title>
 <id>https://localhost:8089/services/data/outputs/tcp/default</id>
 <updated>2011-07-10T22:43:53-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/default/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/default/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>

</feed>


data/outputs/tcp/default/{name} DELETE

XML
XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/data/outputs/tcp/default/tcpout
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>tcpout-default</title>
 <id>https://localhost:8085/services/data/outputs/tcp/default</id>
 <updated>2011-07-19T20:09:02-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/default/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/default/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>

</feed>


data/outputs/tcp/default/{name} GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/default/tcpout
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>tcpout-default</title>
 <id>https://localhost:8089/services/data/outputs/tcp/default</id>
 <updated>2011-07-10T22:38:23-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/default/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/default/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>tcpout</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/default/tcpout</id>
   <updated>2011-07-10T22:38:23-07:00</updated>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="list"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="remove"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="autoLB">1</s:key>
       <s:key name="defaultGroup">spacecake_9998</s:key>
       <s:key name="disabled">0</s:key>
       ... eai:acl nodes elided ...
       <s:key name="forwardedindex.0.whitelist">.*</s:key>
       <s:key name="forwardedindex.1.blacklist">_.*</s:key>
       <s:key name="forwardedindex.2.whitelist">_audit</s:key>
       <s:key name="forwardedindex.filter.disable">0</s:key>
       <s:key name="indexAndForward">0</s:key>
       <s:key name="maxQueueSize">500KB</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



data/outputs/tcp/default/{name} POST

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/default/tcpout -d heartbeatFrequency=60
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>tcpout-default</title>
 <id>https://localhost:8089/services/data/outputs/tcp/default</id>
 <updated>2011-07-10T22:43:53-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/default/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/default/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>

</feed>



data/outputs/tcp/group GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/group
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>tcpout-group</title>
 <id>https://localhost:8089/services/data/outputs/tcp/group</id>
 <updated>2011-07-10T22:21:07-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/group/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/group/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>spacecake_9998</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998</id>
   <updated>2011-07-10T22:21:07-07:00</updated>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998" rel="list"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="disabled">0</s:key>
       ... eai:acl nodes elided ...
       <s:key name="method">autobalance</s:key>
       <s:key name="servers">
         <s:list>
           <s:item>spacecake:9998</s:item>
         </s:list>
       </s:key>
     </s:dict>
   </content>
 </entry>

</feed>



data/outputs/tcp/group POST

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/group -d name=lan_receivers -d method=autobalance -d servers=10.3.3.3:9997,10.4.4.4:9997
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>tcpout-group</title>
 <id>https://localhost:8089/services/data/outputs/tcp/group</id>
 <updated>2011-07-10T22:21:23-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/group/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/group/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>

</feed>



data/outputs/tcp/group/{name} DELETE

XML
XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/data/outputs/tcp/group/lan_receivers
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>tcpout-group</title>
 <id>https://localhost:8089/services/data/outputs/tcp/group</id>
 <updated>2011-07-10T22:32:47-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/group/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/group/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>

</feed>



data/outputs/tcp/group/{name} GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/group/lan_receivers
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>tcpout-group</title>
 <id>https://localhost:8089/services/data/outputs/tcp/group</id>
 <updated>2011-07-10T22:23:10-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/group/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/group/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>lan_receivers</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers</id>
   <updated>2011-07-10T22:23:10-07:00</updated>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers" rel="list"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="autoLB">1</s:key>
       <s:key name="disabled">0</s:key>
       ... eai:acl nodes elided ...
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list>
               <s:item>autoLB</s:item>
               <s:item>blockOnQueueFull</s:item>
               <s:item>compressed</s:item>
               <s:item>disabled</s:item>
               <s:item>dropEventsOnQueueFull</s:item>
               <s:item>heartbeatFrequency</s:item>
               <s:item>maxPersistentQueueSizeInMegs</s:item>
               <s:item>maxQueueSize</s:item>
               <s:item>method</s:item>
               <s:item>persistentQueuePath</s:item>
               <s:item>sendCookedData</s:item>
               <s:item>usePersistentQueue</s:item>
             </s:list>
           </s:key>
           <s:key name="requiredFields">
             <s:list>
               <s:item>servers</s:item>
             </s:list>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="method">autobalance</s:key>
       <s:key name="servers">
         <s:list>
           <s:item>10.3.3.3:9997</s:item>
           <s:item>10.4.4.4:9997</s:item>
         </s:list>
       </s:key>
     </s:dict>
   </content>
 </entry>

</feed>



data/outputs/tcp/group/{name} POST

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/group/lan_receivers -d maxQueueSize=1024KB -d servers=10.3.3.3:9997,10.4.4.4:9997
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>tcpout-group</title>
 <id>https://localhost:8089/services/data/outputs/tcp/group</id>
 <updated>2011-07-10T22:26:02-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/group/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/group/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>

</feed>



data/outputs/tcp/server GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/server
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>tcpout-server</title>
 <id>https://localhost:8089/services/data/outputs/tcp/server</id>
 <updated>2011-07-10T21:34:59-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/server/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>spacecake:9998</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998</id>
   <updated>2011-07-10T21:34:59-07:00</updated>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998" rel="list"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998" rel="remove"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998/allconnections" rel="allconnections"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="destHost">spacecake.splunk.com</s:key>
       <s:key name="destIp">10.1.1.73</s:key>
       <s:key name="destPort">9998</s:key>
       <s:key name="disabled">0</s:key>
       ... eai:acl nodes elided ...
       <s:key name="method">autobalance</s:key>
       <s:key name="sourcePort">8085</s:key>
       <s:key name="status">connect_fail</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



data/outputs/tcp/server POST

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/server -d name=tiny:9997
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>tcpout-server</title>
 <id>https://localhost:8089/services/data/outputs/tcp/server</id>
 <updated>2011-07-10T21:35:13-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/server/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>

</feed>



data/outputs/tcp/server/{name} DELETE

XML
XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/data/outputs/tcp/server/tiny:9997
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>tcpout-server</title>
 <id>https://localhost:8089/services/data/outputs/tcp/server</id>
 <updated>2011-07-10T21:35:41-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/server/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>

</feed>



data/outputs/tcp/server/{name} GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/server/tiny:9997
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>tcpout-server</title>
 <id>https://localhost:8089/services/data/outputs/tcp/server</id>
 <updated>2011-07-10T21:35:24-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/server/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>tiny:9997</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997</id>
   <updated>2011-07-10T21:35:24-07:00</updated>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997" rel="list"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997" rel="remove"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997/allconnections" rel="allconnections"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="disabled">0</s:key>
       ... eai:acl nodes elided ...
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list>
               <s:item>backoffAtStartup</s:item>
               <s:item>disabled</s:item>
               <s:item>initialBackoff</s:item>
               <s:item>maxBackoff</s:item>
               <s:item>maxNumberOfRetriesAtHighestBackoff</s:item>
               <s:item>method</s:item>
               <s:item>sslAltNameToCheck</s:item>
               <s:item>sslCertPath</s:item>
               <s:item>sslCipher</s:item>
               <s:item>sslCommonNameToCheck</s:item>
               <s:item>sslPassword</s:item>
               <s:item>sslRootCAPath</s:item>
               <s:item>sslVerifyServerCert</s:item>
             </s:list>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="method">autobalance</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



data/outputs/tcp/server/{name} POST

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/server/tiny:9997 -d initialBackoff=10
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>tcpout-server</title>
 <id>https://localhost:8089/services/data/outputs/tcp/server</id>
 <updated>2011-07-10T21:35:33-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/server/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>

</feed>



data/outputs/tcp/server/{name}/allconnections GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/server/localhost%3A9997/allconnections
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>tcpout-server</title>
 <id>https://localhost:8089/services/data/outputs/tcp/server</id>
 <updated>2011-07-15T15:15:12-0700</updated>
 <generator version="101277"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/server/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>localhost:9997</title>
   <id>https://localhost:8089/services/data/outputs/tcp/server/localhost%3A9997</id>
   <updated>2011-07-15T15:15:12-0700</updated>
   <link href="/services/data/outputs/tcp/server/localhost%3A9997" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/data/outputs/tcp/server/localhost%3A9997" rel="list"/>
   <link href="/services/data/outputs/tcp/server/localhost%3A9997/_reload" rel="_reload"/>
   <link href="/services/data/outputs/tcp/server/localhost%3A9997" rel="edit"/>
   <link href="/services/data/outputs/tcp/server/localhost%3A9997" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="destHost">localhost</s:key>
       <s:key name="destIp">127.0.0.1</s:key>
       <s:key name="destPort">9997</s:key>
       ... eai:acl nodes elided ...
       <s:key name="sourcePort">8089</s:key>
       <s:key name="status">connect_done</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



data/outputs/tcp/syslog GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/syslog
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>syslog</title>
 <id>https://localhost:8089/services/data/outputs/tcp/syslog</id>
 <updated>2011-07-21T22:16:11-0700</updated>
 <generator version="101277"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/syslog/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>myServers</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers</id>
   <updated>2011-07-21T22:16:11-0700</updated>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="list"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="disabled">1</s:key>
       ... eai:acl nodes elided ...
       <s:key name="server">syslogservers.splunk.com:514</s:key>
       <s:key name="type">tcp</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



data/outputs/tcp/syslog POST

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/syslog -d myServers -d server=my.server.com:514
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>syslog</title>
 <id>https://localhost:22090/services/data/outputs/tcp/syslog</id>
 <updated>2011-07-21T23:00:26-07:00</updated>
 <generator version="104359"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/syslog/_new" rel="create"/>
 <opensearch:totalResults>0</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>

</feed>



data/outputs/tcp/syslog/{name} DELETE

XML
XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/data/outputs/tcp/syslog/myServers
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>syslog</title>
 <id>https://localhost:8089/services/data/outputs/tcp/syslog</id>
 <updated>2011-07-21T22:20:52-0700</updated>
 <generator version="101277"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/syslog/_new" rel="create"/>
 <opensearch:totalResults>0</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>

</feed>



data/outputs/tcp/syslog/{name} GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/syslog/myServers
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>syslog</title>
 <id>https://localhost:8089/services/data/outputs/tcp/syslog</id>
 <updated>2011-07-21T22:30:33-0700</updated>
 <generator version="101277"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/syslog/_new" rel="create"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>myServers</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers</id>
   <updated>2011-07-21T22:30:33-0700</updated>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="list"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="disabled">1</s:key>
       ... eai:acl nodes elided ...
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="server">syslogservers.splunk.com:514</s:key>
       <s:key name="type">tcp</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



data/outputs/tcp/syslog/{name} POST

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/syslog/myServers -d type=udp
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>syslog</title>
 <id>https://localhost:8089/services/data/outputs/tcp/syslog</id>
 <updated>2011-07-21T22:53:23-07:00</updated>
 <generator version="104359"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/syslog/_new" rel="create"/>
 <opensearch:totalResults>0</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>

</feed>

Search endpoints

Search endpoint descriptions

Manage search-related resources:

alerts/fired_alerts


https://<host>:<mPort>/services/alerts/fired_alerts

Authentication: Not required

Description

Get all fired alerts.

Method summary
Method Description Formats
GET Get a summary view of all fired alerts. XML, JSON

GET alerts/fired_alerts method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
triggered_alert_count the number of time this alert is triggered.

[ Top ]



alerts/fired_alerts/{name}


https://<host>:<mPort>/services/alerts/fired_alerts/{name}

Authentication: Not required

Description

Delete or view {name} alert.

Method summary
Method Description Formats
DELETE Delete the record of this triggered alert. XML, JSON
GET Get a list of all unexpired triggered or fired instances of this alert. XML, JSON

DELETE alerts/fired_alerts/{name} method detail

Example

Request parameters

None

Response data keys

None


GET alerts/fired_alerts/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
actions Any additional alert actions triggered by this alert.
alert_type Indicates if the alert was historical or real-time.
digest_mode
expiration_time_rendered
savedsearch_name Name of the saved search that triggered the alert.
severity Indicates the severity level of an alert.

Severity level ranges from Info, Low, Medium, High, and Critical. Default is Medium.

Severity levels are informational in purpose and have no additional functionality.

sid The search ID of the search that triggered the alert.
trigger_time The time the alert was triggered.
trigger_time_rendered
triggered_alerts
Application usage

Specify - for {name} to return all fired alerts.

[ Top ]



data/commands


https://<host>:<mPort>/services/data/commands

Authentication: Not required

Description

Access Python search commands.

Method summary
Method Description Formats
GET List all python search commands. XML, JSON

GET data/commands method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
changes_colorder Indicates whether the script output should be used to change the column ordering of the fields.
disabled Indicates if the command is disabled.
enableheader Indicate whether or not your script is expecting header information or not.


Currently, the only thing in the header information is an auth token. If set to true the command expects as input a head section + '\ ' then the csv input.

Note: Should be set to true if you use splunk.Intersplunk

filename Name of script file for command.

<stanza-name>.pl for perl.

<stanza-name>.py for python.

generates_timeorder If generating = false and streaming = true, indicates if the command changes the order of events w/respect to time.
generating Indicates if the command generates new events.
maxinputs Maximum number of events that can be passed to the command for each invocation. This limit cannot exceed the value of maxresultrows in limits.conf.

0 indicates no limit. Defaults to 50000.

outputheader If true, the output of script should be a header section + blank line + csv ouput.

If false, script output should be pure csv only.

passauth If true, passes an authentication token on the start of input.
required_fields A list of fields that this command may use. Informs previous commands that they should retain/extract these fields if possible. No error is generated if a field specified is missing.

Defaults to '*'.

requires_preop Indicates whether the command sequence specified by the streaming_preop key is required for proper execution or is it an optimization only.

Default is false (stremaing_preop not required).

retainsevents Indicates whether the command retains events (the way the sort/dedup/cluster commands do) or whether the command transforms them (the way the stats command does).
streaming Indicates whether the command is streamable.
supports_getinfo Indicates whether the command supports dynamic probing for settings (first argument invoked == __GETINFO__ or __EXECUTE__).
supports_rawargs Indicates whether the command supports raw arguments being passed to it or if it uses parsed arguments (where quotes are stripped).
type Specifies the type of command. The only valid value for this attribute is python.

[ Top ]



data/commands/{name}


https://<host>:<mPort>/services/data/commands/{name}

Authentication: Not required

Description

Get information about the {name} python search command.

Method summary
Method Description Formats
GET Get information about the {name} python search command. XML, JSON

GET data/commands/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
changes_colorder Indicates whether the script output should be used to change the column ordering of the fields.
disabled Indicates if the command is disabled.
enableheader Indicate whether or not your script is expecting header information or not.


Currently, the only thing in the header information is an auth token. If set to true the command expects as input a head section + '\ ' then the csv input.

Note: Should be set to true if you use splunk.Intersplunk

filename Name of script file for command.

<stanza-name>.pl for perl.

<stanza-name>.py for python.

generates_timeorder If generating = false and streaming = true, indicates if the command changes the order of events w/respect to time.
generating Indicates if the command generates new events.
maxinputs Maximum number of events that can be passed to the command for each invocation. This limit cannot exceed the value of maxresultrows in limits.conf.

0 indicates no limit. Defaults to 50000.

outputheader If true, the output of script should be a header section + blank line + csv ouput.

If false, script output should be pure csv only.

passauth If true, passes an authentication token on the start of input.
required_fields A list of fields that this command may use. Informs previous commands that they should retain/extract these fields if possible. No error is generated if a field specified is missing.

Defaults to '*'.

requires_preop Indicates whether the command sequence specified by the streaming_preop key is required for proper execution or is it an optimization only.

Default is false (stremaing_preop not required).

retainsevents Indicates whether the command retains events (the way the sort/dedup/cluster commands do) or whether the command transforms them (the way the stats command does).
streaming Indicates whether the command is streamable.
supports_getinfo Indicates whether the command supports dynamic probing for settings (first argument invoked == __GETINFO__ or __EXECUTE__).
supports_rawargs Indicates whether the command supports raw arguments being passed to it or if it uses parsed arguments (where quotes are stripped).
type Specifies the type of command.

The only valid value for this attribute is python.

[ Top ]



saved/searches


https://<host>:<mPort>/services/saved/searches

Authentication: Not required

Description

Get saved search configurations.

Method summary
Method Description Formats
GET Get information on all saved searches. XML, JSON
POST Creates a saved search. XML, JSON

GET saved/searches method detail

Example

Request parameters
Name Type Default Description
earliest_time String For scheduled searches display all the scheduled times starting from this time (not just the next run time)
latest_time String For scheduled searches display all the scheduled times until this time (not just the next run time)
listDefaultActionArgs Boolean Indicates whether to list default actions.

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
action.email Indicates the state of the email action.
action.email.sendresults Indicates whether search results are attached to the email.
action.email.to List of addresses for email recipients.
action.populate_lookup Indicates the state of the populate lookup action.
action.rss Indicates the state of the RSS action.
action.script Indicates the state of the script action.
action.summary_index Indicates the state of the summary index action.
alert.digest_mode Indicates if Splunk Enterprise applies the alert actions to the entire result set or on each individual result.
alert.expires Sets the period of time to show the alert in the dashboard. Defaults to 24h.

Uses [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.

alert.severity The alert severity level.

Valid values are:

1 DEBUG
2 INFO
3 WARN
4 ERROR
5 SEVERE
6 FATAL
alert.suppress Indicates whether alert suppression is enabled for this schedules search.
alert.suppress.period Specifies the suppresion period. Only valid if alert.supress is enabled.

Uses [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.

alert.track Specifies whether to track the actions triggered by this scheduled search.

auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions.

true - force alert tracking.

false - disable alert tracking for this search.

alert_comparator One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by perc
alert_condition A conditional search that is evaluated against the results of the saved search. Defaults to an empty string.

Alerts are triggered if the specified search yields a non-empty search result list.

Note: If you specify an alert_condition, do not set counttype, relation, or quantity.

alert_threshold Valid values are: Integer[%]

Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to "rises by perc" or "drops by perc."

alert_type What to base the alert on, overriden by alert_condition if it is specified.

Valid values are: always, custom, number of events, number of hosts, number of sources

cron_schedule The cron schedule to execute this search.

For more information, refer to the description of this parameter in the POST endpoint.

description Description of the saved search.
disabled Indicates if this saved search is disabled.
dispatch.buckets The maximum nuber of timeline buckets.
dispatch.earliest_time A time string that specifies the earliest time for this search. Can be a relative or absolute time.

If this value is an absolute time, use the dispatch.time_format to format the value.

dispatch.latest_time A time string that specifies the latest time for the saved search. Can be a relative or absolute time.

If this value is an absolute time, use the dispatch.time_format to format the value.

dispatch.lookups Indicates if lookups are enabled for this search.
dispatch.max_count The maximum number of results before finalizing the search.
dispatch.max_time Indicates the maximum amount of time (in seconds) before finalizing the search.
dispatch.reduce_freq Specifies how frequently Splunk Enterprise should run the MapReduce reduce phase on accumulated map values.
dispatch.spawn_process Specifies whether Splunk Enterprise spawns a new search process when this saved search is executed.

Searches against indexes must run in a separate process.

dispatch.time_format Time format string that defines the time format that Splunk Enterprise uses to specify the earliest and latest time.
dispatch.ttl Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.

If an action is triggered Splunk Enterprise changes the ttl to that action ttl. If multiple actions are triggered, Splunk Enterprise applies the maximum ttl to the artifacts. To set the action ttl, refer to alert_actions.conf.spec.

If the integer is followed by the letter 'p' Splunk Enterprise interprets the ttl as a multiple of the scheduled search period.

displayview Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
earliest_time For scheduled searches display all the scheduled times starting from this time (not just the next run time).
is_scheduled Indicates if this search is to be run on a schedule
is_visible Indicates if this saved search appears in the visible saved search list.
latest_time For scheduled searches display all the scheduled times until this time (not just the next run time).
listDefaultActionArgs List default values of actions.*, even though some of the actions may not be specified in the saved search.
max_concurrent The maximum number of concurrent instances of this search the scheduler is allowed to run.
next_scheduled_time Time when the scheduler runs this search again.
qualifiedSearch The exact search string that the scheduler would run.
realtime_schedule Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time.

If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.

If set to 1, the scheduler might skip some execution periods to make sure that the scheduler is executing the searches running over the most recent time range.

The scheduler tries to execute searches that have realtime_schedule set to 1 before it executes searches that have continuous scheduling (realtime_schedule = 0).

request.ui_dispatch_app A field used by Splunk Web to denote the app this search should be dispatched in.
request.ui_dispatch_view Specifies a field used by Splunk Web to denote the view this search should be displayed in.
restart_on_searchpeer_add Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search.

Note: The peer can be a newly added peer or a peer down and now available.

run_on_startup Indicates whether this search runs when Splunk Enterprise starts. If it does not run on startup, it runs at the next scheduled time.

Splunk Enterprise recommends that you set run_on_startup to true for scheduled searches that populate lookup tables.

search Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

vsid The viewstate id associated with the UI view listed in 'displayview'.

Matches to a stanza in viewstates.conf.


POST saved/searches method detail

Example

Request parameters
Name Type Default Description
action.* String Wildcard argument for any action.

Use this parameter to specify specific action arguments. For example, to specify the email recipients for action.email.to.

action.email Boolean 0 The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions.
action.email.auth_password String The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next Splunk Enterprise restart.

Defaults to empty string.

action.email.auth_username String The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty string.

NOTE: Your SMTP server might reject unauthenticated emails.

action.email.bcc String BCC email address to use if action.email is enabled.
action.email.cc String CC email address to use if action.email is enabled.
action.email.command String The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.email.format Enum Valid values: (plain | html | raw | csv)

Specify the format of text in the email. This value also applies to any attachments.

action.email.from String Email address from which the email action originates.

Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.

action.email.hostname String Sets the hostname used in the web link (url) sent in email actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

When this value is a simple hostname, the protocol and port which are configured within splunk are used to construct the base of the url.

When this value begins with 'http://', it is used verbatim. NOTE: This means the correct port must be specified if it is not the default port for http or https. This is useful in cases when the Splunk Enterprise server is not aware of how to construct an externally referencable url, such as SSO environments, other proxies, or when the Splunk Enterprise server hostname is not generally resolvable.

Defaults to current hostname provided by the operating system, or if that fails "localhost". When set to empty, default behavior is used.

action.email.inline Boolean Indicates whether the search results are contained in the body of the email.

Results can be either inline or attached to an email. See action.email.sendresults.

action.email.mailserver String Set the address of the MTA server to be used to send the emails.

Defaults to <LOCALHOST> (or whatever is set in alert_actions.conf).

action.email.maxresults Number Sets the global maximum number of search results to send when email.action is enabled.

Defaults to 100.

action.email.maxtime Number Valid values are Integer[m|s|h|d].

Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.

action.email.pdfview String The name of the view to deliver if sendpdf is enabled
action.email.preprocess_results String Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).

Usually the preprocessing consists of filtering out unwanted internal fields.

action.email.reportCIDFontList Enum Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.

If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.

To skip loading any CID fonts, specify the empty string.

Defaults to "gb cns jp kor"

action.email.reportIncludeSplunkLogo Boolean Indicates whether to include the Splunk logo with the report.
action.email.reportPaperOrientation Enum Valid values: (portrait | landscape)

Specifies the paper orientation: portrait or landscape. Defaults to portrait.

action.email.reportPaperSize Enum Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)

Specifies the paper size for PDFs. Defaults to letter.

action.email.reportServerEnabled Boolean Not supported.
action.email.reportServerURL String Not supported.

For a default locally installed report server, the URL is http://localhost:8091/

action.email.sendpdf Boolean Indicates whether to create and send the results as a PDF. Defaults to false.
action.email.sendresults Boolean Indicates whether to attach the search results in the email.

Results can be either attached or inline. See action.email.inline.

action.email.subject String Specifies an alternate email subject.

Defaults to SplunkAlert-<savedsearchname>.

action.email.to String A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
action.email.track_alert Boolean Indicates whether the execution of this action signifies a trackable alert.
action.email.ttl Number Valid values are Integer[p].

Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows <Integer>, int is the number of scheduled periods. Defaults to 86400 (24 hours).

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

action.email.use_ssl Boolean Indicates whether to use SSL when communicating with the SMTP server.

Defaults to false.

action.email.use_tls Boolean Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).

Defaults to false.

action.email.width_sort_columns Boolean Indicates whether columns should be sorted from least wide to most wide, left to right.

Only valid if format=text.

action.populate_lookup Boolean 0 The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions.
action.populate_lookup.command String The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.populate_lookup.dest String Lookup name of path of the lookup to populate
action.populate_lookup.hostname String Sets the hostname used in the web link (url) sent in alert actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

See action.email.hostname for details.

action.populate_lookup.maxresults Number Sets the maximum number of search results sent using alerts. Defaults to 100.
action.populate_lookup.maxtime Number Valid values are: Integer[m|s|h|d]

Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.

action.populate_lookup.track_alert Boolean Indicates whether the execution of this action signifies a trackable alert.
action.populate_lookup.ttl Number Valid values are Integer[p]

Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

action.rss Boolean 0 The state of the rss action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions.
action.rss.command String The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.rss.hostname String Sets the hostname used in the web link (url) sent in alert actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

See action.email.hostname for details.

action.rss.maxresults Number Sets the maximum number of search results sent using alerts. Defaults to 100.
action.rss.maxtime Number Valid values are Integer[m|s|h|d].

Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.

action.rss.track_alert Boolean Indicates whether the execution of this action signifies a trackable alert.
action.rss.ttl Number Valid values are: Integer[p]

Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

action.script Boolean 0 The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions.
action.script.command String The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.script.filename String File name of the script to call. Required if script action is enabled
action.script.hostname String Sets the hostname used in the web link (url) sent in alert actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

See action.email.hostname for details.

action.script.maxresults Number Sets the maximum number of search results sent using alerts. Defaults to 100.
action.script.maxtime Number Valid values are: Integer[m|s|h|d]

Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.

action.script.track_alert Boolean Indicates whether the execution of this action signifies a trackable alert.
action.script.ttl Number Valid values are: Integer[p]

Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 600 (10 minutes).

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

action.summary_index Boolean 0 The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions.

Defaults to 0

action.summary_index._name String Specifies the name of the summary index where the results of the scheduled search are saved.

Defaults to "summary."

action.summary_index.command String The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.summary_index.hostname String Sets the hostname used in the web link (url) sent in summary-index alert actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

See action.email.hostname for details.

action.summary_index.inline Boolean Determines whether to execute the summary indexing action as part of the scheduled search.

NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).

Defaults to true

action.summary_index.maxresults Number Sets the maximum number of search results sent using alerts. Defaults to 100.
action.summary_index.maxtime Number Valid values are: Integer[m|s|h|d]

Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.

action.summary_index.track_alert Boolean Indicates whether the execution of this action signifies a trackable alert.
action.summary_index.ttl Number Valid values are: Integer[p]

Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 10p.

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

actions String A comma-separated list of actions to enable.

For example: rss,email

alert.digest_mode Boolean 1 Specifies whether Splunk Enterprise applies the alert actions to the entire result set or on each individual result.

Defaults to true.

alert.expires Number 24h Valid values: [number][time-unit]

Sets the period of time to show the alert in the dashboard. Defaults to 24h.

Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.

alert.severity Enum 3 Valid values: (1 | 2 | 3 | 4 | 5 | 6)

Sets the alert severity level.

Valid values are:

1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL

alert.suppress Boolean Indicates whether alert suppression is enabled for this scheduled search.
alert.suppress.fields String Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
alert.suppress.period Number Valid values: [number][time-unit]

Specifies the suppresion period. Only valid if alert.supress is enabled.

Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.

alert.track Enum auto Valid values: (true | false | auto)

Specifies whether to track the actions triggered by this scheduled search.

auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions.

true - force alert tracking.

false - disable alert tracking for this search.

alert_comparator String One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by perc

Used with alert_threshold to trigger alert actions.

alert_condition String Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.

Alerts are triggered if the specified search yields a non-empty search result list.

NOTE: If you specify an alert_condition, do not set counttype, relation, or quantity.

alert_threshold Number Valid values are: Integer[%]

Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to "rises by perc" or "drops by perc."

alert_type String What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources
args.* String Wildcard argument that accepts any saved search template argument, such as args.username=foobar when the search is search $username$.
auto_summarize Boolean 0 Indicates whether the scheduler should ensure that the data for this search is automatically summarized.
auto_summarize.command String summarize override=partial timespan=$auto_summarize.timespan$ max_summary_size=$auto_summarize.max_summary_size$ max_summary_ratio=$auto_summarize.max_summary_ratio$ max_disabled_buckets=$auto_summarize.max_disabled_buckets$ max_time=$auto_summarize.max_time$ [ $search$ ] A search template that constructs the auto summarization for this search.

Caution: Advanced feature. Do not change unless you understand the architecture of auto summarization of saved searches.

auto_summarize.cron_schedule String */10 * * * * Cron schedule that probes and generates the summaries for this saved search.

The default value corresponds to every ten hours.

auto_summarize.dispatch.earliest_time String A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.

If this value is an absolute time, use the dispatch.time_format to format the value.

auto_summarize.dispatch.latest_time String A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.

If this value is an absolute time, use the dispatch.time_format to format the value.

auto_summarize.dispatch.time_format String  %FT%T.%Q%:z Defines the time format that Splunk Enterprise uses to specify the earliest and latest time.
auto_summarize.dispatch.ttl String 60 Valid values: Integer[p]

Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.

auto_summarize.max_disabled_buckets Number 2 The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period.
auto_summarize.max_summary_ratio Number 0.1 The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket.

Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.

auto_summarize.max_summary_size Number 52428800 The minimum summary size, in bytes, before testing whether the summarization is helpful.

The default value is equivalent to 5MB.

auto_summarize.max_time Number 3600 Maximum time (in seconds) that the summary search is allowed to run.

Note: This is an approximate time. The summary search stops at clean bucket boundaries.

auto_summarize.suspend_period String 24h Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.
auto_summarize.timespan String The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.

For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.

cron_schedule String Valid values: cron string

The cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.

cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43.

Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes.

description String Human-readable description of this saved search. Defaults to empty string.
disabled Boolean 0 Indicates if the saved search is enabled.

Disabled saved searches are not visible in Splunk Web.

dispatch.* String Wildcard argument that accepts any dispatch related argument.
dispatch.buckets Number 0 The maximum number of timeline buckets.
dispatch.earliest_time String A time string that specifies the earliest time for this search. Can be a relative or absolute time.

If this value is an absolute time, use the dispatch.time_format to format the value.

dispatch.indexedRealtime Boolean Indicates whether to used indexed-realtime mode when doing real-time searches.
dispatch.latest_time String A time string that specifies the latest time for this saved search. Can be a relative or absolute time.

If this value is an absolute time, use the dispatch.time_format to format the value.

dispatch.lookups Boolean 1 Enables or disables the lookups for this search.
dispatch.max_count Number 500000 The maximum number of results before finalizing the search.
dispatch.max_time Number 0 Indicates the maximum amount of time (in seconds) before finalizing the search.
dispatch.reduce_freq Number 10 Specifies, in seconds, how frequently Splunk Enterprise should run the MapReduce reduce phase on accumulated map values.
dispatch.rt_backfill Boolean 0 Whether to back fill the real time window for this search. Parameter valid only if this is a real time search
dispatch.spawn_process Boolean 1 Specifies whether Splunk Enterprise spawns a new search process when this saved search is executed.

Searches against indexes must run in a separate process.

dispatch.time_format String  %FT%T.%Q%:z A time format string that defines the time format that Splunk Enterprise uses to specify the earliest and latest time.
dispatch.ttl Number 2p Valid values: Integer[p]

Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.

If an action is triggered Splunk Enterprise changes the ttl to that action ttl. If multiple actions are triggered, Splunk Enterprise applies the maximum ttl to the artifacts. To set the action ttl, refer to alert_actions.conf.spec.

If the integer is followed by the letter 'p' Splunk Enterprise interprets the ttl as a multiple of the scheduled search period.

displayview String Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
is_scheduled Boolean Whether this search is to be run on a schedule
is_visible Boolean 1 Specifies whether this saved search should be listed in the visible saved search list.
max_concurrent Number 1 The maximum number of concurrent instances of this search the scheduler is allowed to run.
name
required
String A name for the search.
next_scheduled_time String Read-only attribute. Value ignored on POST. There are some old clients who still send this value
qualifiedSearch String Read-only attribute. Value ignored on POST. Splunk Enterprise computes this value during runtime.
realtime_schedule Boolean 1 Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time.

If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.

If set to 1, the scheduler might skip some execution periods to make sure that the scheduler is executing the searches running over the most recent time range.

The scheduler tries to execute searches that have realtime_schedule set to 1 before it executes searches that have continuous scheduling (realtime_schedule = 0).

request.ui_dispatch_app String Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
request.ui_dispatch_view String Specifies a field used by Splunk Web to denote the view this search should be displayed in.
restart_on_searchpeer_add Boolean 1 Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search.

NOTE: The peer can be a newly added peer or a peer down and now available.

run_on_startup Boolean 0 Indicates whether this search runs when Splunk Enterprise starts. If it does not run on startup, it runs at the next scheduled time.

Splunk recommends that you set run_on_startup to true for scheduled searches that populate lookup tables.

search
required
String The search to save.
vsid String Defines the viewstate id associated with the UI view listed in 'displayview'.

Must match up to a stanza in viewstates.conf.

Response data keys
Name Description
action.* * represents any custom action.
action.email Indicates the state of the email action.
action.email.auth_password The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next Splunk Enterprise restart.

Defaults to empty string.

action.email.auth_username The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty string.

Note: Your SMTP server might reject unauthenticated emails.

action.email.bcc BCC email address to use if action.email is enabled.
action.email.cc CC email address to use if action.email is enabled.
action.email.command The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.email.format Specify the format of text in the email. This value also applies to any attachments.<

Valid values: (plain | html | raw | csv)

action.email.from Email address from which the email action originates.

Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.

action.email.hostname Sets the hostname used in the web link (url) sent in email actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

When this value is a simple hostname, the protocol and port which are configured within splunk are used to construct the base of the url.

When this value begins with 'http://', it is used verbatim. NOTE: This means the correct port must be specified if it is not the default port for http or https. This is useful in cases when the Splunk Enterprise server is not aware of how to construct an externally referencable url, such as SSO environments, other proxies, or when the Splunk Enterprise server hostname is not generally resolvable.

Defaults to current hostname provided by the operating system, or if that fails "localhost". When set to empty, default behavior is used.

action.email.inline Indicates whether the search results are contained in the body of the email.

Results can be either inline or attached to an email. See action.email.sendresults.

action.email.mailserver Set the address of the MTA server to be used to send the emails.

Defaults to <LOCALHOST> (or whatever is set in alert_actions.conf).

action.email.maxresults Sets the global maximum number of search results to send when email.action is enabled.
action.email.maxtime Specifies the maximum amount of time the execution of an email action takes before the action is aborted.
action.email.pdfview The name of the view to deliver if sendpdf is enabled
action.email.preprocess_results Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).

Usually the preprocessing consists of filtering out unwanted internal fields.

action.email.reportCIDFontList Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.

If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.

To skip loading any CID fonts, specify the empty string.

Default value: "gb cns jp kor"

action.email.reportIncludeSplunkLogo Indicates whether to include the Splunk logo with the report.
action.email.reportPaperOrientation Specifies the paper orientation: portrait or landscape.
action.email.reportPaperSize Specifies the paper size for PDFs. Defaults to letter.

Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)

action.email.reportServerEnabled Not supported.
action.email.reportServerURL Not supported.
action.email.sendpdf Indicates whether to create and send the results as a PDF.
action.email.sendresults Indicates whether to attach the search results in the email.

Results can be either attached or inline. See action.email.inline.

action.email.subject Specifies an email subject.

Defaults to SplunkAlert-<savedsearchname>.

action.email.to List of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
action.email.track_alert Indicates whether the execution of this action signifies a trackable alert.
action.email.ttl Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows <Integer>, int is the number of scheduled periods. Defaults to 86400 (24 hours).

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

Valid values are Integer[p].

action.email.use_ssl Indicates whether to use SSL when communicating with the SMTP server.
action.email.use_tls Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).
action.email.width_sort_columns Indicates whether columns should be sorted from least wide to most wide, left to right.

Only valid if format=text.

action.populate_lookup Indicates the state of the populate lookup action.
action.populate_lookup.command The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.populate_lookup.dest Lookup name of path of the lookup to populate.
action.populate_lookup.hostname Sets the hostname used in the web link (url) sent in alert actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

See action.email.hostname for details.

action.populate_lookup.maxresults The maximum number of search results sent using alerts.
action.populate_lookup.maxtime Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.

Valid values are: Integer[m|s|h|d]

action.populate_lookup.track_alert Indicates whether the execution of this action signifies a trackable alert.
action.populate_lookup.ttl Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

Valid values are Integer[p]

action.rss Indicates the state of the RSS action.
action.rss.command The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.rss.hostname Sets the hostname used in the web link (url) sent in alert actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

See action.email.hostname for details.

action.rss.maxresults Sets the maximum number of search results sent using alerts.
action.rss.maxtime Sets the maximum amount of time the execution of an action takes before the action is aborted.

Valid values are Integer[m |s |h |d].

action.rss.track_alert Indicates whether the execution of this action signifies a trackable alert.
action.rss.ttl Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

Valid values are: Integer[p]

action.script Indicates the state of the script for this action.
action.script.command The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.script.filename File name of the script to call. Required if script action is enabled
action.script.hostname Sets the hostname used in the web link (url) sent in alert actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

See action.email.hostname for details.

action.script.maxresults Sets the maximum number of search results sent using alerts.
action.script.maxtime Sets the maximum amount of time the execution of an action takes before the action is aborted.
action.script.track_alert Indicates whether the execution of this action signifies a trackable alert.
action.script.ttl Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 600 (10 minutes).

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

Valid values are: Integer[p]

action.summary_index Indicates the state of the summary index.
action.summary_index._name Specifies the name of the summary index where the results of the scheduled search are saved.

Defaults to "summary."

action.summary_index.command The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.summary_index.hostname Sets the hostname used in the web link (url) sent in alert actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

See action.email.hostname for details.

action.summary_index.inline Determines whether to execute the summary indexing action as part of the scheduled search.

Note: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).

action.summary_index.maxresults Sets the maximum number of search results sent using alerts.
action.summary_index.maxtime Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.

Valid values are: Integer[m|s|h|d]

action.summary_index.track_alert Indicates whether the execution of this action signifies a trackable alert.
action.summary_index.ttl Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 10p.

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

Valid values are: Integer[p]

actions Actions triggerd by this alert.
alert.digest_mode Indicates if Splunk Enterprise applies the alert actions to the entire result set or on each individual result.
alert.expires Sets the period of time to show the alert in the dashboard. Defaults to 24h.

Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.

Valid values: [number][time-unit]

alert.severity Valid values: (1 | 2 | 3 | 4 | 5 | 6)

Sets the alert severity level.

Valid values are:

1 DEBUG
2 INFO
3 WARN
4 ERROR
5 SEVERE
6 FATAL
alert.suppress Indicates whether alert suppression is enabled for this schedules search.
alert.suppress.fields Fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
alert.suppress.period Specifies the suppresion period. Only valid if alert.supress is enabled.

Uses [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.

alert.track Specifies whether to track the actions triggered by this scheduled search.

auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions.

true - force alert tracking.

false - disable alert tracking for this search.

alert_comparator One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by perc
alert_condition A conditional search that is evaluated against the results of the saved search. Defaults to an empty string.

Alerts are triggered if the specified search yields a non-empty search result list.

Note: If you specify an alert_condition, do not set counttype, relation, or quantity.

alert_threshold Valid values are: Integer[%]

Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to "rises by perc" or "drops by perc."

alert_type What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources
args.* Wildcard argument that accepts any saved search template argument, such as args.username=foobar when the search is search $username$.
auto_summarize Indicates whether the scheduler should ensure that the data for this search is automatically summarized.
auto_summarize.command A search template that constructs the auto summarization for this search.

Caution: Advanced feature. Do not change unless you understand the architecture of auto summarization of saved searches.

auto_summarize.cron_schedule Cron schedule that probes and generates the summaries for this saved search.
auto_summarize.dispatch.earliest_time A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.
auto_summarize.dispatch.latest_time A time string that specifies the latest time for this saved search. Can be a relative or absolute time.
auto_summarize.dispatch.time_format Time format used to specify the earliest and latest times.
auto_summarize.dispatch.ttl Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search. If the integer is followed by the letter 'p' Splunk Enterprise interprets the ttl as a multiple of the scheduled search period.
auto_summarize.max_disabled_buckets The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period.
auto_summarize.max_summary_ratio The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket.

Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.

auto_summarize.max_summary_size The minimum summary size, in bytes, before testing whether the summarization is helpful.
auto_summarize.max_time Maximum time (in seconds) that the summary search is allowed to run.

Note: This is an approximate time. The summary search stops at clean bucket boundaries.

auto_summarize.suspend_period Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.
auto_summarize.timespan The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available.

For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.

cron_schedule The cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.

cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43.

Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes.

Valid values: cron string

description Description of this saved search. Defaults to empty string.
disabled Indicates if this saved search is disabled.
dispatch.* * represents any custom dispatch field.
dispatch.buckets The maximum nuber of timeline buckets.
dispatch.earliest_time A time string that specifies the earliest time for this search. Can be a relative or absolute time.

If this value is an absolute time, use the dispatch.time_format to format the value.

dispatch.indexedRealtime Indicates whether to used indexed-realtime mode when doing real-time searches.
dispatch.latest_time A time string that specifies the latest time for the aved search. Can be a relative or absolute time.

If this value is an absolute time, use the dispatch.time_format to format the value.

dispatch.lookups Indicates if lookups are enabled for this search.
dispatch.max_count The maximum number of results before finalizing the search.
dispatch.max_time Indicates the maximum amount of time (in seconds) before finalizing the search.
dispatch.reduce_freq Specifies how frequently Splunk Enterprise should run the MapReduce reduce phase on accumulated map values.
dispatch.rt_backfill Indicates whether to back fill the real time window for this search. Parameter valid only if this is a real time search
dispatch.spawn_process Indicates whether Splunk Enterprise spawns a new search process when this saved search is executed.
dispatch.time_format Time format string that defines the time format that Splunk Enterprise uses to specify the earliest and latest time.
dispatch.ttl Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.

If an action is triggered Splunk Enterprise changes the ttl to that action ttl. If multiple actions are triggered, Splunk Enterprise applies the maximum ttl to the artifacts. To set the action ttl, refer to alert_actions.conf.spec.

If the integer is followed by the letter 'p' Splunk Enterprise interprets the ttl as a multiple of the scheduled search period.

displayview Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
is_scheduled Indicates if this search is to be run on a schedule.
is_visible Indicates if this saved search appears in the visible saved search list.
max_concurrent The maximum number of concurrent instances of this search the scheduler is allowed to run.
next_scheduled_time The time when the scheduler runs this search again.
qualifiedSearch The exact search string that the scheduler would run.
realtime_schedule Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time.

If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.

If set to 1, the scheduler might skip some execution periods to make sure that the scheduler is executing the searches running over the most recent time range.

The scheduler tries to execute searches that have realtime_schedule set to 1 before it executes searches that have continuous scheduling (realtime_schedule = 0).

request.ui_dispatch_app A field used by Splunk Web to denote the app this search should be dispatched in.
request.ui_dispatch_view Specifies a field used by Splunk Web to denote the view this search should be displayed in.
restart_on_searchpeer_add Indicates whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search.

Note: The peer can be a newly added peer or a peer down and now available.

run_on_startup Indicates whether this search runs when Splunk Enterprise starts. If it does not run on startup, it runs at the next scheduled time.

Splunk recommends that you set run_on_startup to true for scheduled searches that populate lookup tables.

search Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

vsid The viewstate id associated with the UI view listed in 'displayview'.

Matches to a stanza in viewstates.conf.

[ Top ]



saved/searches/{name}


https://<host>:<mPort>/services/saved/searches/{name}

Authentication: Not required

Description

Manage the {name} saved search.

Method summary
Method Description Formats
DELETE Delete this saved search. XML, JSON
GET Get information on this saved search. XML, JSON
POST Updates this saved search XML, JSON

DELETE saved/searches/{name} method detail

Example

Request parameters

None

Response data keys

None


GET saved/searches/{name} method detail

Example

Request parameters
Name Type Default Description
earliest_time String If the search is scheduled display scheduled times starting from this time
latest_time String If the search is scheduled display scheduled times ending at this time
listDefaultActionArgs Boolean Indicates whether to list default actions.
Response data keys
Name Description
action.email Indicates the state of the email action.
action.email.auth_password The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here that is encrypted on the next Splunk Enterprise restart.

Defaults to empty string.

action.email.auth_username The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty string.

Note: Your SMTP server might reject unauthenticated emails.

action.email.bcc BCC email address to use if action.email is enabled.
action.email.cc CC email address to use if action.email is enabled.
action.email.command The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.email.format Specify the format of text in the email. This value also applies to any attachments.

Valid values: (plain | html | raw | csv)

action.email.from Email address from which the email action originates.
action.email.hostname Sets the hostname used in the web link (url) sent in email actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

When this value is a simple hostname, the protocol and port which are configured within splunk are used to construct the base of the url.

When this value begins with 'http://', it is used verbatim. Note: This means the correct port must be specified if it is not the default port for http or https. This is useful in cases when the Splunk Enterprise server is not aware of how to construct an externally referencable url, such as SSO environments, other proxies, or when the Splunk Enterprise server hostname is not generally resolvable.

Defaults to current hostname provided by the operating system, or if that fails "localhost." When set to empty, default behavior is used.

action.email.inline Indicates whether the search results are contained in the body of the email.

Results can be either inline or attached to an email. See action.email.sendresults.

action.email.mailserver Set the address of the MTA server to be used to send the emails.

Defaults to <LOCALHOST> (or whatever is set in alert_actions.conf).

action.email.maxresults Sets the global maximum number of search results to send when email.action is enabled.
action.email.maxtime Specifies the maximum amount of time the execution of an email action takes before the action is aborted.
action.email.preprocess_results Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).

Usually the preprocessing consists of filtering out unwanted internal fields.

action.email.reportPaperOrientation Specifies the paper orientation: portrait or landscape.
action.email.reportPaperSize Specifies the paper size for PDFs. Defaults to letter.

Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)

action.email.reportServerEnabled Not supported.
action.email.reportServerURL Not supported.
action.email.sendpdf Indicates whether to create and send the results as a PDF.
action.email.sendresults Indicates whether to attach the search results in the email.

Results can be either attached or inline. See action.email.inline.

action.email.subject Specifies an email subject.

Defaults to SplunkAlert-<savedsearchname>.

action.email.to List of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
action.email.track_alert Indicates whether the execution of this action signifies a trackable alert.
action.email.ttl Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows <Integer>, int is the number of scheduled periods. Defaults to 86400 (24 hours).

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

Valid values are Integer[p].

action.email.use_ssl Indicates whether to use SSL when communicating with the SMTP server.
action.email.use_tls Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).
action.populate_lookup The state of the populate lookup action.
action.populate_lookup.command The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search.

To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.populate_lookup.hostname Sets the hostname used in the web link (url) sent in alert actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

See action.email.hostname for details.

action.populate_lookup.maxresults The maximum number of search results sent using alerts.
action.populate_lookup.maxtime Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.

Valid values are: Integer[m|s|h|d]

action.populate_lookup.track_alert Indicates whether the execution of this action signifies a trackable alert.
action.populate_lookup.ttl Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

Valid values are Integer[p]

action.rss The state of the RSS action.
action.rss.command The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.rss.hostname Sets the hostname used in the web link (url) sent in alert actions.
action.rss.maxresults Sets the maximum number of search results sent using alerts.
action.rss.maxtime Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
action.rss.track_alert Indicates whether the execution of this action signifies a trackable alert.
action.rss.ttl Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

Valid values are: Integer[p]

action.script The state of the script action.
action.script.command The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.script.hostname Sets the hostname used in the web link (url) sent in alert actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)


protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)


See action.email.hostname for details.

action.script.maxresults The maximum number of search results sent using alerts.
action.script.maxtime Sets the maximum amount of time the execution of an action takes before the action is aborted.
action.script.track_alert Indicates whether the execution of this action signifies a trackable alert.
action.script.ttl Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 600 (10 minutes).

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

Valid values are: Integer[p]

action.summary_index The state of the summary index action.
action.summary_index._name Specifies the name of the summary index where the results of the scheduled search are saved.

Defaults to "summary."

action.summary_index.command The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.summary_index.hostname Sets the hostname used in the web link (url) sent in alert actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

See action.email.hostname for details.

action.summary_index.inline Determines whether to execute the summary indexing action as part of the scheduled search.

Note: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).

action.summary_index.maxresults Sets the maximum number of search results sent using alerts.
action.summary_index.maxtime Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
action.summary_index.track_alert Indicates whether the execution of this action signifies a trackable alert.
action.summary_index.ttl Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 10p.

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

Valid values are: Integer[p]

alert.digest_mode Specifies whether Splunk Enterprise applies the alert actions to the entire result set or on each individual result.
alert.expires Sets the period of time to show the alert in the dashboard. Defaults to 24h.
alert.severity Valid values: (1 | 2 | 3 | 4 | 5 | 6)

Sets the alert severity level.

Valid values are:

1 DEBUG
2 INFO
3 WARN
4 ERROR
5 SEVERE
6 FATAL
alert.suppress Indicates whether alert suppression is enabled for this schedules search.
alert.suppress.period Specifies the suppresion period. Only valid if alert.supress is enabled.

Uses [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.

alert.track Specifies whether to track the actions triggered by this scheduled search.

auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions.

true - force alert tracking.

false - disable alert tracking for this search.

alert_comparator One of the following strings:
greater than
less than
equal to
rises by
drops by
rises by perc
drops by perc

Used with alert_threshold to trigger alert actions.

alert_condition A conditional search that is evaluated against the results of the saved search. Defaults to an empty string.

Alerts are triggered if the specified search yields a non-empty search result list.

alert_threshold Valid values are: Integer[%]

Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to "rises by perc" or "drops by perc."

alert_type What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
cron_schedule The cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.

cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43.

Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes.

Valid values: cron string

description Description of this saved search.
disabled Indicates if this saved search is disabled.
dispatch.buckets The maximum nuber of timeline buckets.
dispatch.earliest_time A time string that specifies the earliest time for this search. Can be a relative or absolute time.

If this value is an absolute time, use the dispatch.time_format to format the value.

dispatch.latest_time A time string that specifies the latest time for this saved search. Can be a relative or absolute time.

If this value is an absolute time, use the dispatch.time_format to format the value.

dispatch.lookups Indicates if lookups are enabled for this search.
dispatch.max_count The maximum number of results before finalizing the search.
dispatch.max_time Indicates the maximum amount of time (in seconds) before finalizing the search.
dispatch.reduce_freq Specifies how frequently Splunk Enterprise should run the MapReduce reduce phase on accumulated map values.
dispatch.spawn_process Indicates whether Splunk Enterprise spawns a new search process when this saved search is executed.
dispatch.time_format A time format string that defines the time format that Splunk Enterprise uses to specify the earliest and latest time.
dispatch.ttl Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.

If an action is triggered Splunk Enterprise changes the ttl to that action ttl. If multiple actions are triggered, Splunk Enterprise applies the maximum ttl to the artifacts. To set the action ttl, refer to alert_actions.conf.spec.

If the integer is followed by the letter 'p' Splunk Enterprise interprets the ttl as a multiple of the scheduled search period.

displayview Defines the default Splunk Web view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
earliest_time For scheduled searches display all the scheduled times starting from this time.
is_scheduled Indicates if this search is to be run on a schedule.
is_visible Indicates if this saved search appears in the visible saved search list.
latest_time For scheduled searches display all the scheduled times until this time (not just the next run time).
listDefaultActionArgs List default values of actions.*, even though some of the actions may not be specified in the saved search.
max_concurrent The maximum number of concurrent instances of this search the scheduler is allowed to run.
next_scheduled_time The time when the scheduler runs this search again.
qualifiedSearch The exact search command for this saved search.
realtime_schedule Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time.

If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling.

See the POST parameter for this attribute for details.

request.ui_dispatch_app A field used by Splunk Web to denote the app this search should be dispatched in.
request.ui_dispatch_view Specifies a field used by Splunk Web to denote the view this search should be displayed in.
restart_on_searchpeer_add Indicates whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search.

Note: The peer can be a newly added peer or a peer down and now available.

run_on_startup Indicates whether this search runs when Splunk Enterprise starts. If it does not run on startup, it runs at the next scheduled time.

Splunk recommends that you set run_on_startup to true for scheduled searches that populate lookup tables.

search Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

vsid Defines the viewstate id associated with the UI view listed in 'displayview'.

Must match up to a stanza in viewstates.conf.


POST saved/searches/{name} method detail

Example

Request parameters
Name Type Default Description
action.* String Wildcard argument for any action.

Use this parameter to specify specific action arguments. For example, to specify the email recipients for action.email.to.

action.email Boolean 0 The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions.
action.email.auth_password String The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next Splunk Enterprise restart.

Defaults to empty string.

action.email.auth_username String The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty string.

NOTE: Your SMTP server might reject unauthenticated emails.

action.email.bcc String BCC email address to use if action.email is enabled.
action.email.cc String CC email address to use if action.email is enabled.
action.email.command String The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.email.format Enum Valid values: (plain | html | raw | csv)

Specify the format of text in the email. This value also applies to any attachments.

action.email.from String Email address from which the email action originates.

Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.

action.email.hostname String Sets the hostname used in the web link (url) sent in email actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

When this value is a simple hostname, the protocol and port which are configured within splunk are used to construct the base of the url.

When this value begins with 'http://', it is used verbatim. NOTE: This means the correct port must be specified if it is not the default port for http or https. This is useful in cases when the Splunk Enterprise server is not aware of how to construct an externally referencable url, such as SSO environments, other proxies, or when the Splunk Enterprise server hostname is not generally resolvable.

Defaults to current hostname provided by the operating system, or if that fails "localhost". When set to empty, default behavior is used.

action.email.inline Boolean Indicates whether the search results are contained in the body of the email.

Results can be either inline or attached to an email. See action.email.sendresults.

action.email.mailserver String Set the address of the MTA server to be used to send the emails.

Defaults to <LOCALHOST> (or whatever is set in alert_actions.conf).

action.email.maxresults Number Sets the global maximum number of search results to send when email.action is enabled.

Defaults to 100.

action.email.maxtime Number Valid values are Integer[m|s|h|d].

Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m.

action.email.pdfview String The name of the view to deliver if sendpdf is enabled
action.email.preprocess_results String Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).

Usually the preprocessing consists of filtering out unwanted internal fields.

action.email.reportCIDFontList Enum Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.

If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.

To skip loading any CID fonts, specify the empty string.

Defaults to "gb cns jp kor"

action.email.reportIncludeSplunkLogo Boolean Indicates whether to include the Splunk logo with the report.
action.email.reportPaperOrientation Enum Valid values: (portrait | landscape)

Specifies the paper orientation: portrait or landscape. Defaults to portrait.

action.email.reportPaperSize Enum Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)

Specifies the paper size for PDFs. Defaults to letter.

action.email.reportServerEnabled Boolean Not supported.
action.email.reportServerURL String Not supported.
action.email.sendpdf Boolean Indicates whether to create and send the results as a PDF. Defaults to false.
action.email.sendresults Boolean Indicates whether to attach the search results in the email.

Results can be either attached or inline. See action.email.inline.

action.email.subject String Specifies an alternate email subject.

Defaults to SplunkAlert-<savedsearchname>.

action.email.to String A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
action.email.track_alert Boolean Indicates whether the execution of this action signifies a trackable alert.
action.email.ttl Number Valid values are Integer[p].

Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows <Integer>, int is the number of scheduled periods. Defaults to 86400 (24 hours).

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

action.email.use_ssl Boolean Indicates whether to use SSL when communicating with the SMTP server.

Defaults to false.

action.email.use_tls Boolean Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).

Defaults to false.

action.email.width_sort_columns Boolean Indicates whether columns should be sorted from least wide to most wide, left to right.

Only valid if format=text.

action.populate_lookup Boolean 0 The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions.
action.populate_lookup.command String The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.populate_lookup.dest String Lookup name of path of the lookup to populate
action.populate_lookup.hostname String Sets the hostname used in the web link (url) sent in alert actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

See action.email.hostname for details.

action.populate_lookup.maxresults Number Sets the maximum number of search results sent using alerts. Defaults to 100.
action.populate_lookup.maxtime Number Valid values are: Integer[m|s|h|d]

Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.

action.populate_lookup.track_alert Boolean Indicates whether the execution of this action signifies a trackable alert.
action.populate_lookup.ttl Number Valid values are Integer[p]

Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

action.rss Boolean 0 The state of the rss action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions.
action.rss.command String The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.rss.hostname String Sets the hostname used in the web link (url) sent in alert actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

See action.email.hostname for details.

action.rss.maxresults Number Sets the maximum number of search results sent using alerts. Defaults to 100.
action.rss.maxtime Number Valid values are Integer[m|s|h|d].

Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.

action.rss.track_alert Boolean Indicates whether the execution of this action signifies a trackable alert.
action.rss.ttl Number Valid values are: Integer[p]

Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

action.script Boolean 0 The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions.
action.script.command String The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.script.filename String File name of the script to call. Required if script action is enabled
action.script.hostname String Sets the hostname used in the web link (url) sent in alert actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

See action.email.hostname for details.

action.script.maxresults Number Sets the maximum number of search results sent using alerts. Defaults to 100.
action.script.maxtime Number Valid values are: Integer[m|s|h|d]

Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.

action.script.track_alert Boolean Indicates whether the execution of this action signifies a trackable alert.
action.script.ttl Number Valid values are: Integer[p]

Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 600 (10 minutes).

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

action.summary_index Boolean 0 The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions.

Defaults to 0

action.summary_index._name String Specifies the name of the summary index where the results of the scheduled search are saved.

Defaults to "summary."

action.summary_index.command String The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.summary_index.hostname String Sets the hostname used in the web link (url) sent in summary-index alert actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

See action.email.hostname for details.

action.summary_index.inline Boolean Determines whether to execute the summary indexing action as part of the scheduled search.

NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).

Defaults to true

action.summary_index.maxresults Number Sets the maximum number of search results sent using alerts. Defaults to 100.
action.summary_index.maxtime Number Valid values are: Integer[m|s|h|d]

Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.

action.summary_index.track_alert Boolean Indicates whether the execution of this action signifies a trackable alert.
action.summary_index.ttl Number Valid values are: Integer[p]

Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 10p.

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

actions String A comma-separated list of actions to enable.

For example: rss,email

alert.digest_mode Boolean 1 Specifies whether Splunk Enterprise applies the alert actions to the entire result set or on each individual result.

Defaults to true.

alert.expires Number 24h Valid values: [number][time-unit]

Sets the period of time to show the alert in the dashboard. Defaults to 24h.

Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.

alert.severity Enum 3 Valid values: (1 | 2 | 3 | 4 | 5 | 6)

Sets the alert severity level.

Valid values are:

1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL

alert.suppress Boolean Indicates whether alert suppression is enabled for this scheduled search.
alert.suppress.fields String Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
alert.suppress.period Number Valid values: [number][time-unit]

Specifies the suppresion period. Only valid if alert.supress is enabled.

Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.

alert.track Enum auto Valid values: (true | false | auto)

Specifies whether to track the actions triggered by this scheduled search.

auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions.

true - force alert tracking.

false - disable alert tracking for this search.

alert_comparator String One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by perc

Used with alert_threshold to trigger alert actions.

alert_condition String Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.

Alerts are triggered if the specified search yields a non-empty search result list.

NOTE: If you specify an alert_condition, do not set counttype, relation, or quantity.

alert_threshold Number Valid values are: Integer[%]

Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to "rises by perc" or "drops by perc."

alert_type String What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources
args.* String Wildcard argument that accepts any saved search template argument, such as args.username=foobar when the search is search $username$.
auto_summarize Boolean 0 Indicates whether the scheduler should ensure that the data for this search is automatically summarized.
auto_summarize.command String summarize override=partial timespan=$auto_summarize.timespan$ max_summary_size=$auto_summarize.max_summary_size$ max_summary_ratio=$auto_summarize.max_summary_ratio$ max_disabled_buckets=$auto_summarize.max_disabled_buckets$ max_time=$auto_summarize.max_time$ [ $search$ ] A search template that constructs the auto summarization for this search.

Caution: Advanced feature. Do not change unless you understand the architecture of auto summarization of saved searches.

auto_summarize.cron_schedule String */10 * * * * Cron schedule that probes and generates the summaries for this saved search.

The default value corresponds to every ten hours.

auto_summarize.dispatch.earliest_time String A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.

If this value is an absolute time, use the dispatch.time_format to format the value.

auto_summarize.dispatch.latest_time String A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.

If this value is an absolute time, use the dispatch.time_format to format the value.

auto_summarize.dispatch.time_format String  %FT%T.%Q%:z Defines the time format that Splunk Enterprise uses to specify the earliest and latest time.
auto_summarize.dispatch.ttl String 60 Valid values: Integer[p]

Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search.

auto_summarize.max_disabled_buckets Number 2 The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period.
auto_summarize.max_summary_ratio Number 0.1 The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket.

Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.

auto_summarize.max_summary_size Number 52428800 The minimum summary size, in bytes, before testing whether the summarization is helpful.

The default value is equivalent to 5MB.

auto_summarize.max_time Number 3600 Maximum time (in seconds) that the summary search is allowed to run.

Note: This is an approximate time. The summary search stops at clean bucket boundaries.

auto_summarize.suspend_period String 24h Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.
auto_summarize.timespan String The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.

For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.

cron_schedule String Valid values: cron string

The cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.

cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43.

Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes.

description String Human-readable description of this saved search. Defaults to empty string.
disabled Boolean 0 Indicates if the saved search is enabled.

Disabled saved searches are not visible in Splunk Web.

dispatch.* String Wildcard argument that accepts any dispatch related argument.
dispatch.buckets Number 0 The maximum number of timeline buckets.
dispatch.earliest_time String A time string that specifies the earliest time for this search. Can be a relative or absolute time.

If this value is an absolute time, use the dispatch.time_format to format the value.

dispatch.indexedRealtime Boolean Indicates whether to used indexed-realtime mode when doing real-time searches.
dispatch.latest_time String A time string that specifies the latest time for this saved search. Can be a relative or absolute time.

If this value is an absolute time, use the dispatch.time_format to format the value.

dispatch.lookups Boolean 1 Enables or disables the lookups for this search.
dispatch.max_count Number 500000 The maximum number of results before finalizing the search.
dispatch.max_time Number 0 Indicates the maximum amount of time (in seconds) before finalizing the search.
dispatch.reduce_freq Number 10 Specifies, in seconds, how frequently Splunk Enterprise should run the MapReduce reduce phase on accumulated map values.
dispatch.rt_backfill Boolean 0 Whether to back fill the real time window for this search. Parameter valid only if this is a real time search
dispatch.spawn_process Boolean 1 Specifies whether Splunk Enterprise spawns a new search process when this saved search is executed.

Searches against indexes must run in a separate process.

dispatch.time_format String  %FT%T.%Q%:z A time format string that defines the time format that Splunk Enterprise uses to specify the earliest and latest time.
dispatch.ttl Number 2p Valid values: Integer[p]

Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.

If an action is triggered Splunk Enterprise changes the ttl to that action ttl. If multiple actions are triggered, Splunk Enterprise applies the maximum ttl to the artifacts. To set the action ttl, refer to alert_actions.conf.spec.

If the integer is followed by the letter 'p' Splunk Enterprise interprets the ttl as a multiple of the scheduled search period.

displayview String Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
is_scheduled Boolean Whether this search is to be run on a schedule
is_visible Boolean 1 Specifies whether this saved search should be listed in the visible saved search list.
max_concurrent Number 1 The maximum number of concurrent instances of this search the scheduler is allowed to run.
next_scheduled_time String Read-only attribute. Value ignored on POST. There are some old clients who still send this value
qualifiedSearch String Read-only attribute. Value ignored on POST. Splunk computes this value during runtime.
realtime_schedule Boolean 1 Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time.

If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.

If set to 1, the scheduler might skip some execution periods to make sure that the scheduler is executing the searches running over the most recent time range.

The scheduler tries to execute searches that have realtime_schedule set to 1 before it executes searches that have continuous scheduling (realtime_schedule = 0).

request.ui_dispatch_app String Specifies a field used by Splunk Web to denote the app this search should be dispatched in.
request.ui_dispatch_view String Specifies a field used by Splunk Web to denote the view this search should be displayed in.
restart_on_searchpeer_add Boolean 1 Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search.

NOTE: The peer can be a newly added peer or a peer down and now available.

run_on_startup Boolean 0 Indicates whether this search runs when Splunk Enterprise starts. If it does not run on startup, it runs at the next scheduled time.

Splunk recommends that you set run_on_startup to true for scheduled searches that populate lookup tables.

search String The search to save.
vsid String Defines the viewstate id associated with the UI view listed in 'displayview'.

Must match up to a stanza in viewstates.conf.

Response data keys
Name Description
action.* * represents any custom action.
action.email Indicates the state of the email action.
action.email.auth_password The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here that is encrypted on the next Splunk Enterprise restart.

Defaults to empty string.

action.email.auth_username The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty string.

Note: Your SMTP server might reject unauthenticated emails.

action.email.bcc BCC email address to use if action.email is enabled.
action.email.cc CC email address to use if action.email is enabled.
action.email.command The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.email.format Specify the format of text in the email. This value also applies to any attachments.<

Valid values: (plain | html | raw | csv)

action.email.from Email address from which the email action originates.

Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.

action.email.hostname Sets the hostname used in the web link (url) sent in email actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

When this value is a simple hostname, the protocol and port which are configured within splunk are used to construct the base of the url.

When this value begins with 'http://', it is used verbatim. NOTE: This means the correct port must be specified if it is not the default port for http or https. This is useful in cases when the Splunk Enterprise server is not aware of how to construct an externally referencable url, such as SSO environments, other proxies, or when the Splunk Enterprise server hostname is not generally resolvable.

Defaults to current hostname provided by the operating system, or if that fails "localhost". When set to empty, default behavior is used.

action.email.inline Indicates whether the search results are contained in the body of the email.

Results can be either inline or attached to an email. See action.email.sendresults.

action.email.mailserver Set the address of the MTA server to be used to send the emails.

Defaults to <LOCALHOST> (or whatever is set in alert_actions.conf).

action.email.maxresults A conditional search that is evaluated against the results of the saved search. Defaults to an empty string.

Alerts are triggered if the specified search yields a non-empty search result list.

Note: If you specify an alert_condition, do not set counttype, relation, or quantity.

action.email.maxtime Specifies the maximum amount of time the execution of an email action takes before the action is aborted.
action.email.pdfview The name of the view to deliver if sendpdf is enabled
action.email.preprocess_results Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).

Usually the preprocessing consists of filtering out unwanted internal fields.

action.email.reportCIDFontList Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.

If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used.

To skip loading any CID fonts, specify the empty string.

Default value: "gb cns jp kor"

action.email.reportIncludeSplunkLogo Indicates whether to include the Splunk logo with the report.
action.email.reportPaperOrientation Specifies the paper orientation: portrait or landscape.
action.email.reportPaperSize Specifies the paper size for PDFs. Defaults to letter.

Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)

action.email.reportServerEnabled Not supported.
action.email.reportServerURL Not supported.
action.email.sendpdf Indicates whether to create and send the results as a PDF.
action.email.sendresults Indicates whether to attach the search results in the email.

Results can be either attached or inline. See action.email.inline.

action.email.subject Specifies an email subject.

Defaults to SplunkAlert-<savedsearchname>.

action.email.to List of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
action.email.track_alert Indicates whether the execution of this action signifies a trackable alert.
action.email.ttl Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows <Integer>, int is the number of scheduled periods. Defaults to 86400 (24 hours).

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

Valid values are Integer[p].

action.email.use_ssl Indicates whether to use SSL when communicating with the SMTP server.
action.email.use_tls Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).
action.email.width_sort_columns Indicates whether columns should be sorted from least wide to most wide, left to right.

Only valid if format=text.

action.populate_lookup Indicates the state of the populate lookup action.
action.populate_lookup.command The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.populate_lookup.dest Lookup name of path of the lookup to populate.
action.populate_lookup.hostname Sets the hostname used in the web link (url) sent in alert actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

See action.email.hostname for details.

action.populate_lookup.maxresults The maximum number of search results sent using alerts.
action.populate_lookup.maxtime The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.populate_lookup.track_alert Indicates whether the execution of this action signifies a trackable alert.
action.populate_lookup.ttl Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

Valid values are Integer[p]

action.rss Indicates the state of the RSS action.
action.rss.command The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.rss.hostname Sets the hostname used in the web link (url) sent in alert actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

See action.email.hostname for details.

action.rss.maxresults Sets the maximum number of search results sent using alerts.
action.rss.maxtime Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m.
action.rss.track_alert Indicates whether the execution of this action signifies a trackable alert.
action.rss.ttl Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

Valid values are: Integer[p]

action.script Indicates the state of the script for this action.
action.script.command The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.script.filename File name of the script to call. Required if script action is enabled
action.script.hostname Sets the hostname used in the web link (url) sent in alert actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)


protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)


See action.email.hostname for details.

action.script.maxresults Sets the maximum number of search results sent using alerts.
action.script.maxtime Sets the maximum amount of time the execution of an action takes before the action is aborted.
action.script.track_alert Specifies the name of the summary index where the results of the scheduled search are saved.

Defaults to "summary."

action.script.ttl Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 600 (10 minutes).

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

Valid values are: Integer[p]

action.summary_index Indicates the state of the summary index.
action.summary_index._name Specifies the name of the summary index where the results of the scheduled search are saved.

Defaults to "summary."

action.summary_index.command The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.summary_index.hostname Sets the hostname used in the web link (url) sent in alert actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

See action.email.hostname for details.

action.summary_index.inline Determines whether to execute the summary indexing action as part of the scheduled search.

Note: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always).

action.summary_index.maxresults Sets the maximum number of search results sent using alerts.
action.summary_index.maxtime Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.

Valid values are: Integer[m|s|h|d]

action.summary_index.track_alert Indicates whether the execution of this action signifies a trackable alert.
action.summary_index.ttl Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 10p.

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

Valid values are: Integer[p]

actions Actions to enable.
alert.digest_mode Indicates if Splunk Enterprise applies the alert actions to the entire result set or on each individual result.
alert.expires Sets the period of time to show the alert in the dashboard. Defaults to 24h.

Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.

Valid values: [number][time-unit]

alert.severity Valid values: (1 | 2 | 3 | 4 | 5 | 6)

Sets the alert severity level.

Valid values are:

1 DEBUG
2 INFO
3 WARN
4 ERROR
5 SEVERE
6 FATAL
alert.suppress Indicates whether alert suppression is enabled for this schedules search.
alert.suppress.fields Fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
alert.suppress.period Specifies the suppresion period. Only valid if alert.supress is enabled.

Uses [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.

alert.track Specifies whether to track the actions triggered by this scheduled search.

auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions.

true - force alert tracking.

false - disable alert tracking for this search.

alert_comparator One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by perc

Used with alert_threshold to trigger alert actions.

alert_condition A conditional search that is evaluated against the results of the saved search. Defaults to an empty string.

Alerts are triggered if the specified search yields a non-empty search result list.

Note: If you specify an alert_condition, do not set counttype, relation, or quantity.

alert_threshold Valid values are: Integer[%]

Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to "rises by perc" or "drops by perc."

alert_type What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
args.* Wildcard argument that accepts any saved search template argument, such as args.username=foobar when the search is search $username$.
auto_summarize Indicates whether the scheduler should ensure that the data for this search is automatically summarized.
auto_summarize.command A search template that constructs the auto summarization for this search.

Caution: Advanced feature. Do not change unless you understand the architecture of auto summarization of saved searches.

auto_summarize.cron_schedule Cron schedule that probes and generates the summaries for this saved search.

The default value corresponds to every ten hours.

auto_summarize.dispatch.earliest_time A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.
auto_summarize.dispatch.latest_time A time string that specifies the latest time for this saved search. Can be a relative or absolute time.
auto_summarize.dispatch.time_format Defines the time format that Splunk Enterprise uses to specify the earliest and latest time.
auto_summarize.dispatch.ttl Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search. If the integer is followed by the letter 'p' Splunk Enterprise interprets the ttl as a multiple of the scheduled search period.
auto_summarize.max_disabled_buckets The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period.
auto_summarize.max_summary_ratio The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket.

Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.

auto_summarize.max_summary_size The minimum summary size, in bytes, before testing whether the summarization is helpful.
auto_summarize.max_time Maximum time (in seconds) that the summary search is allowed to run.

Note: This is an approximate time. The summary search stops at clean bucket boundaries.

auto_summarize.suspend_period Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful.
auto_summarize.timespan The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available.

For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d.

cron_schedule The cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.

cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43.

Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes.

Valid values: cron string

description Description of this saved search.
disabled Indicates if the saved search is disnabled.

Disabled saved searches are not visible in Splunk Web.

dispatch.* * represents any custom dispatch field.
dispatch.buckets The maximum nuber of timeline buckets.
dispatch.earliest_time A time string that specifies the earliest time for this search. Can be a relative or absolute time.

If this value is an absolute time, use the dispatch.time_format to format the value.

dispatch.indexedRealtime Indicates whether to used indexed-realtime mode when doing real-time searches.
dispatch.latest_time A time string that specifies the latest time for this saved search. Can be a relative or absolute time.

If this value is an absolute time, use the dispatch.time_format to format the value.

dispatch.lookups Indicates if lookups are enabled for this search.
dispatch.max_count The maximum number of results before finalizing the search.
dispatch.max_time Indicates the maximum amount of time (in seconds) before finalizing the search.
dispatch.reduce_freq Specifies how frequently Splunk Enterprise should run the MapReduce reduce phase on accumulated map values.
dispatch.rt_backfill Indicates whether to back fill the real time window for this search. Parameter valid only if this is a real time search
dispatch.spawn_process Indicates whether Splunk Enterprise spawns a new search process when this saved search is executed.
dispatch.time_format Time format string that defines the time format that Splunk Enterprise uses to specify the earliest and latest time.
dispatch.ttl Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.

If an action is triggered Splunk Enterprise changes the ttl to that action ttl. If multiple actions are triggered, Splunk Enterprise applies the maximum ttl to the artifacts. To set the action ttl, refer to alert_actions.conf.spec.

If the integer is followed by the letter 'p' Splunk Enterprise interprets the ttl as a multiple of the scheduled search period.

displayview Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.
is_scheduled Indicates if this search is to be run on a schedule.
is_visible Indicates if this saved search appears in the visible saved search list.
max_concurrent The maximum number of concurrent instances of this search the scheduler is allowed to run.
next_scheduled_time The time when the scheduler runs this search again.
qualifiedSearch The exact search command for this saved search.
realtime_schedule Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time.

If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.

If set to 1, the scheduler might skip some execution periods to make sure that the scheduler is executing the searches running over the most recent time range.

The scheduler tries to execute searches that have realtime_schedule set to 1 before it executes searches that have continuous scheduling (realtime_schedule = 0).

request.ui_dispatch_app A field used by Splunk Web to denote the app this search should be dispatched in.
request.ui_dispatch_view Specifies a field used by Splunk Web to denote the view this search should be displayed in.
restart_on_searchpeer_add Indicates whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search.

Note: The peer can be a newly added peer or a peer down and now available.

run_on_startup Indicates whether this search runs when Splunk Enterprise starts. If it does not run on startup, it runs at the next scheduled time.

Splunk recommends that you set run_on_startup to true for scheduled searches that populate lookup tables.

search Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

vsid Defines the viewstate id associated with the UI view listed in 'displayview'.

Must match up to a stanza in viewstates.conf.

[ Top ]



saved/searches/{name}/acknowledge


https://<host>:<mPort>/services/saved/searches/{name}/acknowledge

Authentication: Not required

Description

Acknowledge the {name} saved search alert suppression.

Method summary
Method Description Formats
POST Acknowledge the {name} saved search alert suppression and resume alerting. XML, JSON

POST saved/searches/{name}/acknowledge method detail

Example

Request parameters
Name Type Default Description
key String The suppression key used in field-based supression.

For example, in host-based suppression, with data from 5 hosts, the key is the host, as each host could have different suppression expiration times.

Response data keys

None

[ Top ]



saved/searches/{name}/dispatch


https://<host>:<mPort>/services/saved/searches/{name}/dispatch

Authentication: Not required

Description

Dispatch the {name} saved search.

Method summary
Method Description Formats
POST Dispatch the {name} saved search. XML, JSON

POST saved/searches/{name}/dispatch method detail

Example

Request parameters
Name Type Default Description
args.* Arg values to create a saved search is the saved search is a template search.

For example, specify arg.index_name to create the following search:

search index=$args.index_name | ...
dispatch.* String Any dispatch.* field of the search that needs to be overridden when running the summary search.
dispatch.now Boolean Dispatch the search as if the specified time for this parameter was the current time.
force_dispatch Boolean Indicates whether to start a new search even if another instance of this search is already running.
now String [Deprecated] Use dispatch.now.
trigger_actions Boolean Indicates whether to trigger alert actions.
Response data keys

None

[ Top ]



saved/searches/{name}/history


https://<host>:<mPort>/services/saved/searches/{name}/history

Authentication: Not required

Description

List available search jobs created from the {name} saved search.

Method summary
Method Description Formats
GET List available search jobs created from the {name} saved search. XML, JSON

GET saved/searches/{name}/history method detail

Example

Request parameters

None

Response data keys
Name Description
earliest_time The earliest time a search job is configured to start.
isDone Indicates if the search has completed.
isFinalized Indicates if the search was finalized (stopped before completion).
isRealTimeSearch Indicates if the search is a real time search.
isSaved Indicates if the search is saved idefinitely.
isScheduled Indicates if the search is a scheduled search.
isZombie Indicates if the process running the search is dead, but with the search not finished.
latest_time The latest time a search job is configured to start.
listDefaultActionArgs List default values of actions.*, even though some of the actions may not be specified in the saved search.
ttl The time to live, or time before the search job expires after it completes.

[ Top ]



saved/searches/{name}/reschedule


https://<host>:<mPort>/services/saved/searches/{name}/reschedule

Authentication: Not required

Description

Get list of scheduled searches.

Method summary
Method Description Formats
POST Get list of scheduled searches. XML, JSON

POST saved/searches/{name}/reschedule method detail

Example

Request parameters
Name Type Default Description
schedule_time String The time to next run the search.
Response data keys

None

Application usage

If no schedule_time argument is specified, it is assumed that the search should be run as soon as possible.

[ Top ]



saved/searches/{name}/scheduled_times


https://<host>:<mPort>/services/saved/searches/{name}/scheduled_times

Authentication: Not required

Description

Get {name} scheduled saved search time.

Method summary
Method Description Formats
GET Get {name} scheduled saved search time. XML, JSON

GET saved/searches/{name}/scheduled_times method detail

Example

Request parameters
Name Type Default Description
earliest_time
required
String Absolute or relative earliest time
latest_time
required
String Absolute or relative latest time
Response data keys
Name Description
action.email Indicates the state of the email action.
action.email.auth_password The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here that is encrypted on the next Splunk Enterprise restart.

Defaults to empty string.

action.email.auth_username The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty string.

Note: Your SMTP server might reject unauthenticated emails.

action.email.pdfview The name of the view to deliver if sendpdf is enabled.
action.email.subject Specifies an email subject.

Defaults to SplunkAlert-<savedsearchname>.

action.email.to List of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
action.summary_index The state of the summary index action.
action.summary_index._name The state of the summary index action.
actions Actions triggerd by this alert.
alert.digest_mode Indicates if Splunk Enterprise applies the alert actions to the entire result set or on each individual result.
alert.expires Sets the period of time to show the alert in the dashboard. Defaults to 24h.

Uses [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.

alert.severity Valid values: (1 | 2 | 3 | 4 | 5 | 6)

Sets the alert severity level.

Valid values are:

1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL

alert.suppress Indicates whether alert suppression is enabled for this schedules search.
alert.suppress.fields Fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.
alert.suppress.period Specifies the suppresion period. Only valid if alert.supress is enabled.

Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.

alert.track Specifies whether to track the actions triggered by this scheduled search.

auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions.

true - force alert tracking.

false - disable alert tracking for this search.

alert_comparator Valid values are: Integer[%]

Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to "rises by perc" or "drops by perc."

alert_condition A conditional search that is evaluated against the results of the saved search. Defaults to an empty string.

Alerts are triggered if the specified search yields a non-empty search result list.

Note: If you specify an alert_condition, do not set counttype, relation, or quantity.

alert_threshold Valid values are: Integer[%]

Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to "rises by perc" or "drops by perc."

alert_type What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources.
cron_schedule The cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.

cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43.

Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes.

Valid values: cron string

description Description of the saved search.
disabled Indicates if this saved search is disabled.
dispatch.buckets The maximum number of timeline buckets.
dispatch.earliest_time A time string that specifies the earliest time for this search. Can be a relative or absolute time.

If this value is an absolute time, use the dispatch.time_format to format the value.

dispatch.latest_time A time string that specifies the latest time for this saved search. Can be a relative or absolute time.

If this value is an absolute time, use the dispatch.time_format to format the value.

dispatch.lookups Indicates if lookups are enabled for this search.
dispatch.max_count The maximum number of results before finalizing the search.
dispatch.max_time Indicates the maximum amount of time (in seconds) before finalizing the search
earliest_time For scheduled searches display all the scheduled times starting from this time.
is_scheduled Indicates if this search is to be run on a schedule.
is_visible Indicates if this saved search appears in the visible saved search list.
latest_time A time string that specifies the latest time for this saved search. Can be a relative or absolute time.

If this value is an absolute time, use the dispatch.time_format to format the value.

listDefaultActionArgs List default values of actions.*, even though some of the actions may not be specified in the saved search.
max_concurrent The maximum number of concurrent instances of this search the scheduler is allowed to run.
next_scheduled_time The time when the scheduler runs this search again.
qualifiedSearch The exact search command for this saved search.
realtime_schedule Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time.

If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option.

If set to 1, the scheduler might skip some execution periods to make sure that the scheduler is executing the searches running over the most recent time range.

The scheduler tries to execute searches that have realtime_schedule set to 1 before it executes searches that have continuous scheduling (realtime_schedule = 0).

request.ui_dispatch_app A field used by Splunk Web to denote the app this search should be dispatched in.
request.ui_dispatch_view A field used by Splunk Web to denote the app this search should be dispatched in.
restart_on_searchpeer_add Indicates whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search.

Note: The peer can be a newly added peer or a peer down and now available.

run_on_startup Indicates whether this search runs when Splunk Enterprise starts. If it does not run on startup, it runs at the next scheduled time.

Splunk recommends that you set run_on_startup to true for scheduled searches that populate lookup tables.

scheduled_times The times when the scheduler runs the search.
search Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

vsid The viewstate id associated with the Splunk Web view listed in 'displayview'.

Matches to a stanza in viewstates.conf.

Application usage

Specify a time range for the data returned using earliest_time and latest_time parameters.

[ Top ]



saved/searches/{name}/suppress


https://<host>:<mPort>/services/saved/searches/{name}/suppress

Authentication: Not required

Description

Get the {name} saved search alert suppression state.

Method summary
Method Description Formats
GET Get the {name} saved search alert suppression state. XML, JSON

GET saved/searches/{name}/suppress method detail

Example

Request parameters
Name Type Default Description
expiration String Indicates the time the suppression period expires.
key
Response data keys
Name Description
earliest_time For scheduled searches display all the scheduled times starting from this time.
expiration Sets the period of time to show the alert in the dashboard. Defaults to 24h.

Uses [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.

latest_time A time string that specifies the latest time for this saved search. Can be a relative or absolute time.

If this value is an absolute time, use the dispatch.time_format to format the value.

listDefaultActionArgs List default values of actions.*, even though some of the actions may not be specified in the saved search.
suppressed Indicates if alert suppression is enabled for this search.
suppressionKey A combination of all the values of the suppression fields (or the combinations MD5), if fields were specified.

[ Top ]



scheduled/views


https://<host>:<mPort>/services/scheduled/views

Authentication: Not required

Description

Allows for management of scheduled (for pdf delivery) views. Scheduled views are dummy/noop scheduled saved searches that email a pdf version of a view.

Method summary
Method Description Formats
GET Lists all scheduled view objects. XML, JSON

GET scheduled/views method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
action.email Indicates the state of the email action.
action.email.pdfview Name of the view to send as a PDF.
action.email.sendpdf Indicates whether to create and send the results as a PDF.
action.email.sendresults Indicates whether the search results are included in the email. The results can be attached or inline.
action.email.to List of recipient email addresses. Required if the email alert action is enabled.
action.email.ttl Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows <Integer>, int is the number of scheduled periods. Defaults to 86400 (24 hours).

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

Valid values are Integer[p].

cron_schedule The cron schedule to use for delivering the view. Scheduled views are dummy/noop scheduled saved searches that email a pdf version of a view

For example: */5 * * * * causes the search to execute every 5 minutes.

cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43.

Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes.

description Description of this scheduled view object.
disabled Indicates if the scheduled view is disabled.
is_scheduled Indicates if PDF delivery of this view is scheduled.
next_scheduled_time The next time when the view is delivered.

[ Top ]



scheduled/views/{name}


https://<host>:<mPort>/services/scheduled/views/{name}

Authentication: Not required

Description

Manage the {name} scheduled view.

Method summary
Method Description Formats
DELETE Delete a scheduled view. XML, JSON
GET List the {name} scheduled view object. XML, JSON
POST Modify the {name} scheduled view. XML, JSON

DELETE scheduled/views/{name} method detail

Example

Request parameters

None

Response data keys

None


GET scheduled/views/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
action.email Indicates the sate of the email action.
action.email.auth_password The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next Splunk Enterprise restart.

Defaults to empty string.

action.email.auth_username The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty string.

Note: Your SMTP server might reject unauthenticated emails.

action.email.bcc "BCC email address to use if action.email is enabled.
action.email.cc CC email address to use if action.email is enabled.
action.email.command The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.email.format Specify the format of text in the email. This value also applies to any attachments.<

Valid values: (plain | html | raw | csv)

action.email.from Email address from which the email action originates.

Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.

action.email.hostname Sets the hostname used in the web link (url) sent in email actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

When this value is a simple hostname, the protocol and port which are configured within splunk are used to construct the base of the url.

When this value begins with 'http://', it is used verbatim. NOTE: This means the correct port must be specified if it is not the default port for http or https. This is useful in cases when the Splunk Enterprise server is not aware of how to construct an externally referencable url, such as SSO environments, other proxies, or when the Splunk Enterprise server hostname is not generally resolvable.

Defaults to current hostname provided by the operating system, or if that fails "localhost". When set to empty, default behavior is used.

action.email.inline Indicates whether the search results are contained in the body of the email.

Results can be either inline or attached to an email. See action.email.sendresults.

action.email.mailserver Set the address of the MTA server to be used to send the emails.

Defaults to <LOCALHOST> (or whatever is set in alert_actions.conf).

action.email.maxresults Sets the global maximum number of search results to send when email.action is enabled.
action.email.maxtime Specifies the maximum amount of time the execution of an email action takes before the action is aborted.
action.email.pdfview The name of the view to deliver if sendpdf is enabled.
action.email.preprocess_results Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).

Usually the preprocessing consists of filtering out unwanted internal fields.

action.email.reportPaperOrientation Specifies the paper orientation: portrait or landscape.
action.email.reportPaperSize Specifies the paper size for PDFs. Defaults to letter.

Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)

action.email.sendpdf Indicates whether to create and send the results as a PDF.
action.email.sendresults Indicates whether to attach the search results in the email.

Results can be either attached or inline. See action.email.inline.

action.email.subject Specifies the email subject.

Defaults to SplunkAlert-<savedsearchname>.

action.email.to List of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
action.email.track_alert Indicates whether the execution of this action signifies a trackable alert.
action.email.ttl Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows <Integer>, int is the number of scheduled periods. Defaults to 86400 (24 hours).

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

Valid values are Integer[p].

action.email.use_ssl Indicates whether to use SSL when communicating with the SMTP server
action.email.use_tls Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).
cron_schedule The cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.

cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43.

Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes.

Valid values: cron string

description Description of this saved search for this view.
disabled Indicates if the saved search for this view is disabled.
is_scheduled Indicates if this search is to be run on a schedule.
next_scheduled_time The next time when the view is delivered.

POST scheduled/views/{name} method detail

Example

Request parameters
Name Type Default Description
action.email.to
required
String Comma or semicolon separated list of email addresses to send the view to
action.email* String Wildcard argument that accepts any email action.
cron_schedule
required
String The cron schedule to use for delivering the view. Scheduled views are dummy/noop scheduled saved searches that email a pdf version of a view.

For example: */5 * * * * causes the search to execute every 5 minutes.

cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43.

Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes.

description String User readable description of this scheduled view object
disabled Boolean 0 Whether this object is enabled or disabled
is_scheduled
required
Boolean Whether this pdf delivery should be scheduled
next_scheduled_time String The next time when the view is delivered. Ignored on edit, here only for backwards compatability.
Response data keys
Name Description
action.email Indicates the status of the email action.
action.email.auth_password The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here that is encrypted on the next Splunk Enterprise restart.

Defaults to empty string.

action.email.auth_username The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty string.

Note: Your SMTP server might reject unauthenticated emails.

action.email.bcc BCC email address to use if action.email is enabled.
action.email.cc CC email address to use if action.email is enabled.
action.email.command The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.email.format Specify the format of text in the email. This value also applies to any attachments.<

Valid values: (plain | html | raw | csv)

action.email.from Email address from which the email action originates
action.email.hostname Sets the hostname used in the web link (url) sent in email actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

When this value is a simple hostname, the protocol and port which are configured within splunk are used to construct the base of the url.

When this value begins with 'http://', it is used verbatim. NOTE: This means the correct port must be specified if it is not the default port for http or https. This is useful in cases when the Splunk Enterprise server is not aware of how to construct an externally referencable url, such as SSO environments, other proxies, or when the Splunk Enterprise server hostname is not generally resolvable.

Defaults to current hostname provided by the operating system, or if that fails "localhost". When set to empty, default behavior is used.

action.email.inline Indicates whether the search results are contained in the body of the email.

Results can be either inline or attached to an email. See action.email.sendresults.

action.email.mailserver Set the address of the MTA server to be used to send the emails.

Defaults to <LOCALHOST> (or whatever is set in alert_actions.conf).

action.email.maxresults Sets the maximum number of search results sent using alerts.
action.email.maxtime Specifies the maximum amount of time the execution of an email action takes before the action is aborted.
action.email.pdfview The name of the view to deliver if sendpdf is enabled.
action.email.preprocess_results Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).

Usually the preprocessing consists of filtering out unwanted internal fields.

action.email.reportPaperOrientation Specifies the paper orientation: portrait or landscape.
action.email.reportPaperSize Specifies the paper size for PDFs. Defaults to letter.

Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)

action.email.sendpdf Indicates whether to create and send the results as a PDF.
action.email.sendresults Indicates whether to attach the search results in the email.

Results can be either attached or inline. See action.email.inline.

action.email.subject Specifies an email subject.

Defaults to SplunkAlert-<savedsearchname>.

action.email.to List of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
action.email.track_alert Indicates whether the execution of this action signifies a trackable alert.
action.email.ttl Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows <Integer>, int is the number of scheduled periods. Defaults to 86400 (24 hours).

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

Valid values are Integer[p].

action.email.use_ssl Indicates whether to use SSL when communicating with the SMTP server.
action.email.use_tls Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).
cron_schedule The cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.

cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43.

Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes.

Valid values: cron string

description Description of the saved search for this view.
disabled Indicates if the saved search for this view is disabled.
is_scheduled Indicates if this search is to be run on a schedule.
next_scheduled_time The next time when the view is delivered.

[ Top ]



scheduled/views/{name}/dispatch


https://<host>:<mPort>/services/scheduled/views/{name}/dispatch

Authentication: Not required

Description

Dispatch the scheduled search associated with the {name} scheduled view.

Method summary
Method Description Formats
POST Dispatch the scheduled search associated with the {name} scheduled view. XML, JSON

POST scheduled/views/{name}/dispatch method detail

Example

Request parameters
Name Type Default Description
args.* String Wildcard argument that accepts any saved search template argument, such as arg.username=foobar when the search is search $username$.
dispatch.* String Wildcard argument that accepts any dispatch related argument.
dispatch.now Boolean Dispatch the search as if the specified time for this parameter was the current time.
force_dispatch Boolean Indicates whether to start a new search even if another instance of this search is already running.
now String [Deprecated] Use dispatch.now.
trigger_actions Boolean Indicates whether to trigger alert actions
Response data keys

None

[ Top ]



scheduled/views/{name}/history


https://<host>:<mPort>/services/scheduled/views/{name}/history

Authentication: Not required

Description

Get a list of search jobs used to render the {name} scheduled view.

Method summary
Method Description Formats
GET Get a list of search jobs used to render the {name} scheduled view. XML, JSON

GET scheduled/views/{name}/history method detail

Example

Request parameters

None

Response data keys

None

[ Top ]



scheduled/views/{name}/reschedule


https://<host>:<mPort>/services/scheduled/views/{name}/reschedule

Authentication: Not required

Description

Schedule when to deliver a PDF of the view.

Method summary
Method Description Formats
POST Schedule when to deliver a PDF of the view. XML, JSON

POST scheduled/views/{name}/reschedule method detail

Example

Request parameters
Name Type Default Description
schedule_time String Absolute or relative schedule time.
Response data keys

None

Application usage

If schedule_time is not specified, then it is assumed that the delivery should occur as soon as possible.

[ Top ]



scheduled/views/{name}/scheduled_times


https://<host>:<mPort>/services/scheduled/views/{name}/scheduled_times

Authentication: Not required

Description

Get scheduled view times.

Method summary
Method Description Formats
GET Get scheduled view times. XML, JSON

GET scheduled/views/{name}/scheduled_times method detail

Example

Request parameters
Name Type Default Description
earliest_time String Absolute or relative earliest time
latest_time String Absolute or relative latest time
Response data keys
Name Description
action.email Indicates the state of the email action.
action.email.auth_password The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here that is encrypted on the next Splunk Enterprise restart.

Defaults to empty string.

action.email.auth_username The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty string.

Note: Your SMTP server might reject unauthenticated emails.

action.email.bcc BCC email address to use if action.email is enabled.
action.email.cc CC email address to use if action.email is enabled.
action.email.command The search command (or pipeline) which is responsible for executing the action.

Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.

action.email.format Specify the format of text in the email. This value also applies to any attachments.<

Valid values: (plain | html | raw | csv)

action.email.from Email address from which the email action originates.
action.email.hostname Sets the hostname used in the web link (url) sent in email actions.

This value accepts two forms:

hostname (for example, splunkserver, splunkserver.example.com)

protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443)

When this value is a simple hostname, the protocol and port which are configured within splunk are used to construct the base of the url.

When this value begins with 'http://', it is used verbatim. NOTE: This means the correct port must be specified if it is not the default port for http or https. This is useful in cases when the Splunk Enterprise server is not aware of how to construct an externally referencable url, such as SSO environments, other proxies, or when the Splunk Enterprise server hostname is not generally resolvable.

Defaults to current hostname provided by the operating system, or if that fails "localhost". When set to empty, default behavior is used.

action.email.inline Indicates whether the search results are contained in the body of the email.

Results can be either inline or attached to an email. See action.email.sendresults.

action.email.mailserver Set the address of the MTA server to be used to send the emails.

Defaults to <LOCALHOST> (or whatever is set in alert_actions.conf).

action.email.maxresults Sets the maximum number of search results sent using alerts.
action.email.maxtime Specifies the maximum amount of time the execution of an email action takes before the action is aborted.
action.email.pdfview The name of the view to deliver if sendpdf is enabled.
action.email.preprocess_results Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).

Usually the preprocessing consists of filtering out unwanted internal fields.

action.email.reportPaperOrientation Specifies the paper orientation: portrait or landscape.
action.email.reportPaperSize Specifies the paper size for PDFs. Defaults to letter.

Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)

action.email.reportServerEnabled Not supported.
action.email.reportServerURL Not supported.
action.email.sendpdf Indicates whether to create and send the results as a PDF.
action.email.sendresults Indicates whether to attach the search results in the email.

Results can be either attached or inline. See action.email.inline.

action.email.subject Specifies an email subject.

Defaults to SplunkAlert-<savedsearchname>.

action.email.to List of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.
action.email.track_alert Indicates whether the execution of this action signifies a trackable alert.
action.email.ttl Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows <Integer>, int is the number of scheduled periods. Defaults to 86400 (24 hours).

If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.

Valid values are Integer[p].

action.email.use_ssl Indicates whether to use SSL when communicating with the SMTP server.
action.email.use_tls Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).
action.email.width_sort_columns Indicates whether columns should be sorted from least wide to most wide, left to right.

Only valid if format=text.

cron_schedule The cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.

cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43.

Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes.

Valid values: cron string

description Description of the saved search for this view.
disabled Indicates if the saved search for this view is disnabled.

Disabled saved searches are not visible in Splunk Web.

is_scheduled Indicates if this search is to be run on a schedule.
next_scheduled_time The next time when the view is delivered.
Application usage

Specify a time range for the data returned using earliest_time and latest_time parameters.

[ Top ]



search/jobs


https://<host>:<mPort>/services/search/jobs

Authentication: Not required

Description

List search jobs.

Refer to Creating searches using the REST API for information on using this endpoint and other search endpoints.

Method summary
Method Description Formats
GET Get details of all current searches. XML, JSON
POST Starts a new search, returning the search ID (<sid>). XML, JSON

GET search/jobs method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
cursorTime The earliest time from which no events are later scanned.

Can be used to indicate progress. See description for doneProgress.

custom Custom job property. (See the search/jobs POST request for an example of how to create a custom property.)
delegate For saved searches, specifies jobs that were started by the user. Defaults to scheduler.
diskUsage The total amount of disk space used, in bytes.
dispatchState The state of the search. Can be any of QUEUED, PARSING, RUNNING, PAUSED, FINALIZING, FAILED, DONE.
doneProgress A number between 0 and 1.0 that indicates the approximate progress of the search.

doneProgress = (latestTime – cursorTime) / (latestTime – earliestTime)

dropCount For real-time searches only, the number of possible events that were dropped due to the rt_queue_size (default to 100000).
earliestTime The earliest time a search job is configured to start.

Can be used to indicate progress. See description for doneProgress.

eventAvailableCount The number of events that are available for export.
eventCount The number of events returned by the search.
eventFieldCount The number of fields found in the search results.
eventIsStreaming Indicates if the events of this search are being streamed.
eventIsTruncated Indicates if events of the search are not stored, making them unavailable from the events endpoint for the search.
eventSearch Subset of the entire search that is before any transforming commands. The timeline and events endpoint represents the result of this part of the search.
eventSorting Indicates if the events of this search are sorted, and in which order.

asc = ascending;

desc = descending;

none = not sorted

isDone Indicates if the search has completed.
isFailed Indicates if there was a fatal error executing the search. For example, invalid search string syntax.
isFinalized Indicates if the search was finalized (stopped before completion).
isPaused Indicates if the search is paused.
isPreviewEnabled Indicates if previews are enabled.
isRealTimeSearch Indicates if the search is a real time search.
isRemoteTimeline Indicates if the remote timeline feature is enabled.
isSaved Indicates that the search job is saved, storing search artifacts on disk for 7 days from the last time that the job was viewed or touched. Add or edit the default_save_ttl value in limits.conf to override the default value of 7 days.
isSavedSearch Indicates if this is a saved search run using the scheduler.
isZombie Indicates if the process running the search is dead, but with the search not finished.
keywords All positive keywords used by this search. A positive keyword is a keyword that is not in a NOT clause.
label Custom name created for this search.
latestTime The latest time a search job is configured to start.

Can be used to indicate progress. See description for doneProgress.

messages Errors and debug messages.
numPreviews Number of previews generated so far for this search job.
performance A representation of the execution costs.
priority An integer between 0-10 that indicates the search priority.

The priority is mapped to the OS process priority. The higher the number the higher the priority. The priority can be changed using action parameter for POST search/jobs/{search_id}/control. For example, for the action parameter, specify priority=5.

Note: In *nix systems, non-privileged users can only reduce the priority of a process.

remoteSearch The search string that is sent to every search peer.
reportSearch If reporting commands are used, the reporting search.
request GET arguments that the search sends to splunkd.
resultCount The total number of results returned by the search. In other words, this is the subset of scanned events (represented by the scanCount) that actually matches the search terms.
resultIsStreaming Indicates if the final results of the search are available using streaming (for example, no transforming operations).
resultPreviewCount The number of result rows in the latest preview results.
runDuration Time in seconds that the search took to complete.
scanCount The number of events that are scanned or read off disk.
searchEarliestTime Specifies the earliest time for a search, as specified in the search command rather than the earliestTime parameter. It does not snap to the indexed data time bounds for all-time searches (something that earliestTime/latestTime does).
searchLatestTime Specifies the latest time for a search, as specified in the search command rather than the latestTime parameter. It does not snap to the indexed data time bounds for all-time searches (something that earliestTime/latestTime does).
searchProviders A list of all the search peers that were contacted.
sid The search ID number.
statusBuckets Maximum number of timeline buckets.
ttl The time to live, or time before the search job expires after it completes.
Application usage

The user ID is implied by the authentication to the call.

Information returned for each entry includes the search job properties, such as eventCount (number of events returned), runDuration (time the search took to complete), and others. The parameters to POST /search/jobs provides details on search job properties when creating a search. Search job properties are also described in Search job properties in the Knowledge Manager Manual.

You can specify optional arguments based on the search job properties to filter the entries returned. For example, specify search=eventCount>100 as an argument to the GET operation to return searches with event counts greater than 100.

The dispatchState property is of particular interest to determine the state of a search, and can contain the following values:

  QUEUED
   PARSING
   RUNNING
   PAUSED
   FINALIZING
   FAILED
   DONE

This operation also returns performance information for the search. For more information refer to "View search job properties with the Search Job Inspector" in the Knowledge Manager Manual.

For more information on searches in Splunk Enterprise, refer to the Splunk Search Reference.


POST search/jobs method detail

Example

Request parameters
Name Type Default Description
auto_cancel Number 0 If specified, the job automatically cancels after this many seconds of inactivity. (0 means never auto-cancel)
auto_finalize_ec Number 0 Auto-finalize the search after at least this many events are processed.

Specify 0 to indicate no limit.

auto_pause Number 0 If specified, the search job pauses after this many seconds of inactivity. (0 means never auto-pause.)

To restart a paused search job, specify unpause as an action to POST search/jobs/{search_id}/control.

auto_pause only goes into effect once. Unpausing after auto_pause does not put auto_pause into effect again.

custom String Specify a custom parameter (see example).
earliest_time String Specify a time string. Sets the earliest (inclusive), respectively, time bounds for the search.

The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. Refer to Time modifiers for search for information and examples of specifying a time string.

Compare to index_earliest parameter. Also see comment for the search_mode parameter.

enable_lookups Boolean true Indicates whether lookups should be applied to events.

Specifying true (the default) may slow searches significantly depending on the nature of the lookups.

exec_mode Enum normal Valid values: (blocking | oneshot | normal)

If set to normal, runs an asynchronous search.

If set to blocking, returns the sid when the job is complete.

If set to oneshot, returns results in the same call. In this case, you can specify the format for the output (for example, json output) using the output_mode parameter as described in GET search/jobs/export. Default format for output is xml.

force_bundle_replication Boolean false Specifies whether this search should cause (and wait depending on the value of sync_bundle_replication) for bundle synchronization with all search peers.
id String Optional string to specify the search ID (<sid>). If unspecified, a random ID is generated.
index_earliest String Specify a time string. Sets the earliest (inclusive), respectively, time bounds for the search, based on the index time bounds.

The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. Compare to earliest_time parameter. Also see comment for the search_mode parameter.

Refer to Time modifiers for search for information and examples of specifying a time string.

index_latest String Specify a time string. Sets the latest (exclusive), respectively, time bounds for the search, based on the index time bounds.

The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string.

Refer to Time modifiers for search for information and examples of specifying a time string.

Compare to latest_time parameter. Also see comment for the search_mode parameter.

indexedRealtime Boolean Indicate whether or not to used indexed-realtime mode for real-time searches.
indexedRealtimeOffset Number Set disk sync delay for indexed real-time search (seconds).
latest_time String Specify a time string. Sets the latest (exclusive), respectively, time bounds for the search.

The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string.

Refer to Time modifiers for search for information and examples of specifying a time string.

Compare to index_latest parameter. Also see comment for the search_mode parameter.

max_count Number 10000 The number of events that can be accessible in any given status bucket.

Also, in transforming mode, the maximum number of results to store. Specifically, in all calls, codeoffset+count <= max_count.

max_time Number 0 The number of seconds to run this search before finalizing. Specify 0 to never finalize.
namespace String The application namespace in which to restrict searches.

The namespace corresponds to the identifier recognized in the /services/apps/local endpoint.

now String current system time Specify a time string to set the absolute time used for any relative time specifier in the search. Defaults to the current system time.

You can specify a relative time modifier for this parameter. For example, specify +2d to specify the current time plus two days.

If you specify a relative time modifier both in this parameter and in the search string, the search string modifier takes precedence.

Refer to Time modifiers for search for details on specifying relative time modifiers.

reduce_freq Number 0 Determines how frequently to run the MapReduce reduce phase on accumulated map values.
reload_macros Boolean true Specifies whether to reload macro definitions from macros.conf.

Default is true.

remote_server_list String empty list Comma-separated list of (possibly wildcarded) servers from which raw events should be pulled. This same server list is to be used in subsearches.
required_field_list String empty list [Deprecated] Use rf.

A comma-separated list of required fields that, even if not referenced or used directly by the search, is still included by the events and summary endpoints. Splunk Web uses these fields to prepopulate panels in the Search view.

reuse_max_seconds_ago Number Specifies the number of seconds ago to check when an identical search is started and return the job's search ID instead of starting a new job.
rf String Adds a required field to the search. There can be multiple rf POST arguments to the search.

These fields, even if not referenced or used directly by the search, are still included by the events and summary endpoints. Splunk Web uses these fields to prepopulate panels in the Search view.

Consider using this form of passing the required fields to the search instead of the deprecated required_field_list. If both rf and required_field_list are provided, the union of the two lists is used.

rt_blocking Boolean false For a real-time search, indicates if the indexer blocks if the queue for this search is full.
rt_indexfilter Boolean true For a real-time search, indicates if the indexer prefilters events.
rt_maxblocksecs Number 60 For a real-time search with rt_blocking set to true, the maximum time to block.

Specify 0 to indicate no limit.

rt_queue_size Number 10000 events For a real-time search, the queue size (in events) that the indexer should use for this search.
search
required
String The search language string to execute, taking results from the local and remote servers.

Examples:

"search *"
"search * | outputcsv"
search_listener String Registers a search state listener with the search.

Use the format:

search_state;results_condition;http_method;uri;

For example:

search_listener=onResults;true;POST;/servicesNS/admin/search/saved/search/foobar/notify;

search_mode Enum normal Valid values: (normal | realtime)

If set to realtime, search runs over live data. A real-time search may also be indicated by earliest_time and latest_time variables starting with 'rt' even if the search_mode is set to normal or is unset. For a real-time search, if both earliest_time and latest_time are both exactly 'rt', the search represents all appropriate live data received since the start of the search.

Additionally, if earliest_time and/or latest_time are 'rt' followed by a relative time specifiers then a sliding window is used where the time bounds of the window are determined by the relative time specifiers and are continuously updated based on the wall-clock time.

spawn_process Boolean true Specifies whether the search should run in a separate spawned process. Default is true.

Searches against indexes must run in a separate process.

status_buckets Number 0 The most status buckets to generate.

0 indicates to not generate timeline information.

sync_bundle_replication Boolean Specifies whether this search should wait for bundle replication to complete.
time_format String  %FT%T.%Q%:z Used to convert a formatted time string from {start,end}_time into UTC seconds. The default value is the ISO-8601 format.
timeout Number 86400 The number of seconds to keep this search after processing has stopped.
Response data keys

None

Application usage

Refer to Creating searches using the REST API for information on using this endpoint and other search endpoints.

The search parameter is a search language string that specifies the search. Often you create a search specifying just the search parameter. Use the other parameters to customize a search to specific needs.

Use the returned (<sid>) in the following endpoints to view and manage the search:

  search/jobs/{search_id}: View the status of this search job.
  search/jobs/{search_id}/control: Execute job control commands, such as pause, cancel, preview, and others.
  search/jobs/{search_id}/events: View a set of untransformed events for the search.
  search/jobs/{search_id}/results: View results of the search.
  search/jobs/{search_id}/results_preview: Preview results of a search that has not completed
  search/jobs/{search_id}/search.log: View the log file generated by the search.
  search/jobs/{search_id}/summary: View field summary information
  search/jobs/{search_id}/timeline: View event distribution over time.

You can also use the custom attribute to create custom job properties (see example).

For more information on searches in Splunk Enterprise, refer to the Splunk Search Reference.

[ Top ]



search/jobs/export


https://<host>:<mPort>/services/search/jobs/export

Authentication: Not required

Description

Allows for streaming of search results as they become available.

Method summary
Method Description Formats
GET Performs a search identical to POST search/jobs. XML, JSON
POST Performs a search identical to POST search/jobs. XML, JSON

GET search/jobs/export method detail

Example

Request parameters
Name Type Default Description
auto_cancel Number Same as for POST search/jobs.
auto_finalize_ec Number Same as for POST search/jobs.
auto_pause Number Same as for POST search/jobs.
earliest_time String Same as for POST search/jobs.
enable_lookups Bool Same as for POST search/jobs.
force_bundle_replication Bool Same as for POST search/jobs.
id String Same as for POST search/jobs.
index_earliest String Specify a time string. Sets the earliest (inclusive), respectively, time bounds for the search, based on the index time.

The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string.

Refer to Time modifiers for search for information and examples of specifying a time string.

index_latest String Specify a time string. Sets the latest (inclusive), respectively, time bounds for the search, based on the index time.

The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string.

Refer to Time modifiers for search for information and examples of specifying a time string.

latest_time String Same as for POST search/jobs.
max_time Number Same as for POST search/jobs.
namespace String Same as for POST search/jobs.
now String Same as for POST search/jobs.
output_mode Enum xml Valid values: (atom | csv | json | json_cols | json_rows | raw | xml)

Specifies the format for the returned output.

reduce_freq Number Same as for POST search/jobs.
reload_macros Bool Same as for POST search/jobs.
remote_server_list String Same as for POST search/jobs.
required_field_list String Same as for POST search/jobs.
rf String Same as for POST search/jobs.
rt_blocking Bool Same as for POST search/jobs.
rt_indexfilter Bool Same as for POST search/jobs.
rt_maxblocksecs Number Same as for POST search/jobs.
rt_queue_size Number Same as for POST search/jobs.
search
required
String Same as for POST search/jobs.
search_listener String Same as for POST search/jobs.
search_mode Enum Same as for POST search/jobs.
sync_bundle_replication Bool Same as for POST search/jobs.
time_format String Same as for POST search/jobs.
timeout Number Same as for POST search/jobs.
Response data keys

None

Application usage

Performs a search identical to POST search/jobs, except the search does not create a search ID (<sid>) and the search streams results as they become available. Streaming of results is based on the search string.

For non-streaming searches, previews of the final results are available if preview is enabled. If preview is not enabled, it is better to use search/jobs with exec_mode=oneshot.

If it is too big, you might instead run with the search/jobs (not search/jobs/export) endpoint (it takes POST with the same parameters), maybe using the exec_mode=blocking. You'll then get back a search id, and then you can page through the results and request them from the server under your control, which is a better approach for extremely large result sets that need to be chunked.

Example of how to pass a variable to query when using REST API:

This is an example of running a saved search and passing a variable to it. In this case, the variable is host field:

$curl -k -u admin:password https://splunkserver:8089/services/search/jobs/export -d search="savedsearch \ MySavedSearch%20host%3Dwolverine*"

(use "MySavedSearch" and input variable host=wolverine* )

I have a saved search named "MySavedSearch" the query of the search contains:

"index=main $host$ | head 100"


POST search/jobs/export method detail

Example

Request parameters
Name Type Default Description
search String Same as for POST search/jobs.
auto_cancel Number Same as for POST search/jobs.
auto_finalize_ec Number Same as for POST search/jobs.
auto_pause Number Same as for POST search/jobs.
earliest_time String Same as for POST search/jobs.
enable_lookups Bool Same as for POST search/jobs.
force_bundle_replication Bool Same as for POST search/jobs.
id String Same as for POST search/jobs.
index_earliest String Specify a time string. Sets the earliest (inclusive), respectively, time bounds for the search, based on the index time.

The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string.

Refer to Time modifiers for search for information and examples of specifying a time string.

index_latest String Specify a time string. Sets the latest (inclusive), respectively, time bounds for the search, based on the index time.

The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string.

Refer to Time modifiers for search for information and examples of specifying a time string.

latest_time String Same as for POST search/jobs.
max_time Number Same as for POST search/jobs.
namespace String Same as for POST search/jobs.
now String Same as for POST search/jobs.
output_mode Enum xml Valid values: (atom | csv | json | json_cols | json_rows | raw | xml)

Specifies the format for the returned output.

reduce_freq Number Same as for POST search/jobs.
reload_macros Bool Same as for POST search/jobs.
remote_server_list String Same as for POST search/jobs.
required_field_list String Same as for POST search/jobs.
rf String Same as for POST search/jobs.
rt_blocking Bool Same as for POST search/jobs.
rt_indexfilter Bool Same as for POST search/jobs.
rt_maxblocksecs Number Same as for POST search/jobs.
rt_queue_size Number Same as for POST search/jobs.
search_listener String Same as for POST search/jobs.
search_mode Enum Same as for POST search/jobs.
sync_bundle_replication Bool Same as for POST search/jobs.
time_format String Same as for POST search/jobs.
timeout Number Same as for POST search/jobs.
Response data keys

None

Application usage

except the search does not create a search ID (<sid>) and the search streams results as they become available. Streaming of results is based on the search string.

For non-streaming searches, previews of the final results are available if preview is enabled. If preview is not enabled, it is better to use search/jobs with exec_mode=oneshot.

If it is too big, you might instead run with the search/jobs (not search/jobs/export) endpoint (it takes POST with the same parameters), maybe using the exec_mode=blocking. You'll then get back a search id, and then you can page through the results and request them from the server under your control, which is a better approach for extremely large result sets that need to be chunked.

Example of how to pass a variable to query when using REST API:

This is an example of running a saved search and passing a variable to it. In this case, the variable is host field:

$curl -k -u admin:password https://splunkserver:8089/services/search/jobs/export -d search="savedsearch \ MySavedSearch%20host%3Dwolverine*"

(use "MySavedSearch" and input variable host=wolverine* )

I have a saved search named "MySavedSearch" the query of the search contains:

"index=main $host$ | head 100"

[ Top ]



search/jobs/{search_id}


https://<host>:<mPort>/services/search/jobs/{search_id}

Authentication: Not required

Description

Manage the {search_id} search job.

Method summary
Method Description Formats
DELETE Delete the {search_id} search job. XML, JSON
GET Get information about the {search_id} search job. XML, JSON
POST Update the {search_id} search job. XML, JSON

DELETE search/jobs/{search_id} method detail

Example

Request parameters

None

Response data keys

None

Application usage

{search_id} is the <sid> field returned from the GET operation for the search/jobs endpoint.


GET search/jobs/{search_id} method detail

Example

Request parameters

None

Response data keys

None

Application usage

The user ID is implied by the authentication to the call.

Information returned includes the search job properties, such as eventCount (number of events returned), runDuration (time the search took to complete), and others. The parameters to POST /search/jobs provides details on search job properties when creating a search. Search job properties are also described in "View search job properties with the Search Job Inspector" in the Knowledge Manager Manual.

The dispatchState property is of particular interest to determine the state of a search, and can contain the following values:

  QUEUED
   PARSING
   RUNNING
   PAUSED
   FINALIZING
   FAILED
   DONE

This operation also returns performance information for the search. For more information refer to "View search job properties with the Search Job Inspector" in the Knowledge Manager Manual.

For more information on searches in Splunk, refer to the Splunk Search Reference.

POST /search/jobs returns a <sid> for a search. You can also get a search ID from the <sid> field returned from GET search/jobs.


POST search/jobs/{search_id} method detail

Example

Request parameters
Name Type Default Description
custom.*
required
String Specify custom job properties for the specified search job.
Response data keys

None

[ Top ]



search/jobs/{search_id}/control


https://<host>:<mPort>/services/search/jobs/{search_id}/control

Authentication: Not required

Description

Run a job control command for the {search_id} search.

Method summary
Method Description Formats
POST Run a job control command for the {search_id} search. XML, JSON

POST search/jobs/{search_id}/control method detail

Example

Request parameters
Name Type Default Description
action
required
Enum Valid values: (pause | unpause | finalize | cancel | touch | setttl | setpriority | enablepreview | disablepreview)

The control action to execute.

pause: Suspends the execution of the current search.

unpause: Resumes the execution of the current search, if paused.

finalize: Stops the search, and provides intermediate results to the /results endpoint.

cancel: Stops the current search and deletes the result cache.

touch: Extends the expiration time of the search to now + ttl

setttl: Change the ttl of the search. Arguments: ttl=<number>

setpriority: Sets the priority of the search process. Arguments: priority=<0-10>

enablepreview: Enable preview generation (may slow search considerably).

disablepreview: Disable preview generation.

save: saves the search job, storing search artifacts on disk for 7 days. Add or edit the default_save_ttl value in limits.conf to override the default value of 7 days.

unsave: Disables any action performed by save.

Response data keys

None

[ Top ]



search/jobs/{search_id}/events


https://<host>:<mPort>/services/search/jobs/{search_id}/events

Authentication: Not required

Description

Get {search_id} search events.

Method summary
Method Description Formats
GET Get {search_id} search events. XML, JSON

GET search/jobs/{search_id}/events method detail

Example

Request parameters
Name Type Default Description
count Number 100 The maximum number of results to return. If value is set to 0, then all available results are returned. Default value is 100.
earliest_time String A time string representing the earliest (inclusive), respectively, time bounds for the results to be returned. If not specified, the range applies to all results found.
f String A field to return for the event set.

You can pass multiple POST f arguments if multiple field are required. If field_list and f are provided, the union of the lists is used.

field_list String * [Deprecated] Use f.

A comma-separated list of the fields to return for the event set.

latest_time String A time string representing the latest (exclusive), respectively, time bounds for the results to be returned. If not specified, the range applies to all results found.
max_lines Number 0 The maximum lines that any single event _raw field should contain.

Specify 0 to specify no limit.

offset Number 0 The first result (inclusive) from which to begin returning data.

This value is 0-indexed. Default value is 0.

In 4.1+, negative offsets are allowed and are added to count to compute the absolute offset (for example, offset=-1 is the last available offset. Offsets in the results are always absolute and never negative.

output_mode Enum xml Valid values: (atom | csv | json | json_cols | json_rows | raw | xml)

Specifies the format for the returned output.

output_time_format String time_format Formats a UTC time. Defaults to what is specified in time_format.
search String The post processing search to apply to results. Can be any valid search language string.
segmentation String raw The type of segmentation to perform on the data. This incudes an option to perform k/v segmentation.
time_format String  %m/%d/%Y:%H:%M:%S Expression to convert a formatted time string from {start,end}_time into UTC seconds.
truncation_mode Enum abstract Valid values: (abstract | truncate)

Specifies how "max_lines" should be achieved.

Response data keys

None

Application usage

These events are the data from the search pipeline before the first "transforming" search command. This is the primary method for a client to fetch a set of UNTRANSFORMED events for the search job.

This endpoint is only valid if the status_buckets > 0 or the search has no transforming commands.

[ Top ]



search/jobs/{search_id}/results


https://<host>:<mPort>/services/search/jobs/{search_id}/results

Authentication: Not required

Description

Get {search_id} search results.

Method summary
Method Description Formats
GET Get {search_id} search results. XML, JSON

GET search/jobs/{search_id}/results method detail

Example

Request parameters
Name Type Default Description
count Number 100 The maximum number of results to return. If value is set to 0, then all available results are returned.
f String A field to return for the event set.

You can pass multiple POST f arguments if multiple field are required. If field_list and f are provided the union of the lists is used.

field_list String [Deprecated] Use f.

Specify a comma-separated list of the fields to return for the event set.

offset Number 0 The first result (inclusive) from which to begin returning data.

This value is 0-indexed. Default value is 0.

In 4.1+, negative offsets are allowed and are added to count to compute the absolute offset (for example, offset=-1 is the last available offset).

Offsets in the results are always absolute and never negative.

output_mode Enum xml Valid values: (atom | csv | json | json_cols | json_rows | raw | xml)

Specifies the format for the returned output.

search String The post processing search to apply to results. Can be any valid search language string.
Response data keys

None

Application usage

This is the table that exists after all processing from the search pipeline has completed.

This is the primary method for a client to fetch a set of TRANSFORMED events. If the dispatched search does not include a transforming command, the effect is the same as get_events, however with fewer options.

[ Top ]



search/jobs/{search_id}/results_preview


https://<host>:<mPort>/services/search/jobs/{search_id}/results_preview

Authentication: Not required

Description

Preview {search_id} search results.

Method summary
Method Description Formats
GET Preview {search_id} search results. XML, JSON

GET search/jobs/{search_id}/results_preview method detail

Example

Request parameters
Name Type Default Description
count Number 100 The maximum number of results to return.

If value is set to 0, then all available results are returned.

f String A field to return for the event set.

You can pass multiple POST f arguments if multiple field are required. If field_list and f are provided the union of the lists is used.

field_list String [Deprecated] Use f.

A comma-separated list of the fields to return for the event set.

offset Number 0 The first result (inclusive) from which to begin returning data.

This value is 0-indexed. Default value is 0.

output_mode Enum xml Valid values: (atom | csv | json | json_cols | json_rows | raw | xml)

Specifies the format for the returned output.

search String The post processing search to apply to results. Can be any valid search language string.
Response data keys

None

Application usage

Returns the intermediate preview results of the search specified by {search_id}. When the job is complete, this gives the same response as /search/jobs/{search_id}/results. Preview is enabled for real-time searches and for searches where status_buckets > 0.

[ Top ]



search/jobs/{search_id}/search.log


https://<host>:<mPort>/services/search/jobs/{search_id}/search.log

Authentication: Not required

Description

Get the {search_id} search log.

Method summary
Method Description Formats
GET Get the {search_id} search log. XML, JSON

GET search/jobs/{search_id}/search.log method detail

Example

Request parameters
Name Type Default Description
attachment Boolean false If true, returns search.log as an attachment. Otherwise, streams search.log.
Response data keys

None

[ Top ]



search/jobs/{search_id}/summary


https://<host>:<mPort>/services/search/jobs/{search_id}/summary

Authentication: Not required

Description

Get the getFieldsAndStats output of the events to-date, for the search_id search.

Method summary
Method Description Formats
GET Get the getFieldsAndStats output of the events to-date, for the search_id search. XML, JSON

GET search/jobs/{search_id}/summary method detail

Example

Request parameters
Name Type Default Description
earliest_time String Time string representing the earliest (inclusive), respectively, time bounds for the search.

The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. (Also see comment for the search_mode variable.)

f String A field to return for the event set.

You can pass multiple POST f arguments if multiple field are required. If field_list and f are provided, the union of the lists is used.

field_list String [Deprecated] Use f.

A comma-separated list of the fields to return for the event set.

histogram Boolean false Indicates whether to add histogram data to the summary output.
latest_time String Time string representing the latest (exclusive), respectively, time bounds for the search.
min_freq Number 0 For each key, the fraction of results this key must occur in to be displayed.

Express the fraction as a number between 0 and 1.

output_time_format String time_format Formats a UTC time.
search String Empty string Specifies a substring that all returned events should contain either in one of their values or tags.
time_format String  %m/%d/%Y:%H:%M:%S Expression to convert a formatted time string from {start,end}_time into UTC seconds.
top_count Number 10 For each key, specifies how many of the most frequent items to return.
Response data keys

None

Application usage

This endpoint is only valid when status_buckets > 0. To guarantee a set of fields in the summary, when creating the search, use the required_fields_list or rf parameters.

[ Top ]



search/jobs/{search_id}/timeline


https://<host>:<mPort>/services/search/jobs/{search_id}/timeline

Authentication: Not required

Description

Get event distribution over time of the untransformed events read to-date, for the search_id search.

Method summary
Method Description Formats
GET Get event distribution over time of the untransformed events read to-date, for the search_id search. XML, JSON

GET search/jobs/{search_id}/timeline method detail

The output from this endpoint provides values for the following fields:

Field Description
c Event count
a Available. Not all events in a bucket are retrievable. Generally capped at 10000.
t Time in epoch seconds
d Bucket size (time)
f Indicates if the search finished scanning events from the time range of this bucket.
etz Timezone offset, in seconds, for the earliest time of this bucket.

etz and ltz are different if the buckets are months or days and you have a DST change during the middle.

ltz Timezone offset, in seconds, for the latest time of this bucket.

Example

Request parameters
Name Type Default Description
output_time_format String time_format Formats a UTC time.
time_format String  %m/%d/%Y:%H:%M:%S Expression to convert a formatted time string from {start,end}_time into UTC seconds.
Response data keys

None

Application usage

This endpoint is only valid when status_buckets > 0. To guarantee a set of fields in the summary, when creating the search, use the required_fields_list or rf parameters.

[ Top ]



search/parser


https://<host>:<mPort>/services/search/parser

Authentication: Not required

Description

Provide search language parsing services.

Method summary
Method Description Formats
GET Parses Splunk search language and returns semantic map. XML, JSON

GET search/parser method detail

Example

Request parameters
Name Type Default Description
enable_lookups Boolean false If true, reverse lookups are done to expand the search expression.
output_mode String xml Specify output formatting. Select from either:
xml: XML formatting
json: JSON formatting
parse_only Boolean false If true, disables expansion of search due evaluation of subsearches, time term expansion, lookups, tags, eventtypes, sourcetype alias.
q
required
String The search string to parse.
reload_macros Boolean true If true, reload macro definitions from macros.conf.
Response data keys

None

[ Top ]



search/scheduler


https://<host>:<mPort>/services/search/scheduler
Description

Review search scheduler enablement setting.

Authentication: Required

Method summary
Method Description Formats
GET Get current search scheduler enablement status. XML, JSON

Example

Request parameters

None

Response data keys
Name Type Default Description
saved_searches_disabled Boolean 0 or 1 A boolean value indicating whether the search scheduler is disabled.


[ Top ]



search/scheduler/status


https://<host>:<mPort>/services/search/scheduler/status
Description

Enable or disable the search scheduler.

Authentication: Required

Method summary
Method Description Formats
POST Enable or disable the search scheduler. Boolean

Example

Request parameters
Name Type Default Description
disabled Boolean Indicates whether to disable the search scheduler. 0 enables the search scheduler. 1 disables the search scheduler.
Response data keys

None


[ Top ]

search/timeparser


https://<host>:<mPort>/services/search/timeparser

Authentication: Not required

Description

Time argument parse.

Method summary
Method Description Formats
GET Get a lookup table of time arguments to absolute timestamps. XML, JSON

GET search/timeparser method detail

Example

Request parameters
Name Type Default Description
now String The time to use as current time for relative time identifiers.

Can itself either be a relative time (from the real "now" time) or an absolute time in the format specified by time_format.

output_time_format String  %FT%T.%Q%:z Used to format a UTC time. Defaults to the value of time_format.
time
required
String The time argument to parse.

Acceptable inputs are either a relative time identifier or an absolute time. Multiple time arguments can be passed by specifying multiple time parameters.

time_format String  %FT%T.%Q%:z The format (strftime) of the absolute time format passed in time.

This field is not used if a relative time identifier is provided. For absolute times, the default value is the ISO-8601 format.

Response data keys

None

[ Top ]



search/typeahead


https://<host>:<mPort>/services/search/typeahead

Authentication: Not required

Description

Get search string auto-complete suggestions.

Method summary
Method Description Formats
GET Get a list of words or descriptions for possible auto-complete terms. XML, JSON

GET search/typeahead method detail

Example

Request parameters
Name Type Default Description
count
required
Number The number of items to return for this term.
output_mode String csv Specify output formatting. Select from:
csv: CSV formatting
xml: XML formatting
json: JSON formatting
prefix
required
String The term for which to return typeahead results.
Response data keys

None

[ Top ]

Search endpoint examples

alerts/fired_alerts GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/-/alerts/fired_alerts
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>alerts</title>
  <id>https://localhost:8089/services/alerts/fired_alerts</id>
  <updated>2011-07-11T19:27:22-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>-</title>
    <id>https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts/-</id>
    <updated>2011-07-11T19:27:22-07:00</updated>
    <link href="/servicesNS/admin/search/alerts/fired_alerts/-" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/alerts/fired_alerts/-" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl elided -->
        <s:key name="triggered_alert_count">0</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

alerts/fired_alerts/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts/scheduler__admin__search_aGF2ZV9ldmVudHM_at_1310437740_5d3dfde563194ffd_1310437749
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>alerts</title>
  <id>https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts</id>
  <updated>2011-07-11T19:35:25-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

alerts/fired_alerts/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts/MyAlert
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>alerts</title>
  <id>https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts</id>
  <updated>2012-10-25T09:20:04-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987</title>
    <id>https://localhost:8089/servicesNS/nobody/search/alerts/fired_alerts/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987</id>
    <updated>2012-10-25T09:19:47-07:00</updated>
    <link href="/servicesNS/nobody/search/alerts/fired_alerts/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <published>2012-10-25T09:19:47-07:00</published>
    <link href="/servicesNS/nobody/search/alerts/fired_alerts/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987" rel="list"/>
    <link href="/servicesNS/nobody/search/alerts/fired_alerts/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987" rel="remove"/>
    <link href="/servicesNS/nobody/search/search/jobs/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31" rel="job"/>
    <link href="/servicesNS/nobody/search/saved/searches/MyAlert" rel="savedsearch"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="actions"/>
        <s:key name="alert_type">real time</s:key>
        <s:key name="digest_mode">0</s:key>
        <!-- eai:acl elided -->
        <s:key name="expiration_time_rendered">2012-10-26 09:19:47 PDT</s:key>
        <s:key name="savedsearch_name">MyAlert</s:key>
        <s:key name="severity">3</s:key>
        <s:key name="sid">rt_scheduler__admin__search__MyAlert_at_1351181001_5.31</s:key>
        <s:key name="trigger_time">1351181987</s:key>
        <s:key name="trigger_time_rendered">2012-10-25 09:19:47 PDT</s:key>
        <s:key name="triggered_alerts">5</s:key>
      </s:dict>
    </content>
  </entry>
  . . . elided . . .
</feed>

data/commands GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/commands
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>commandsconf</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/commands</id>
  <updated>2011-07-07T00:52:26-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/commands/_reload" rel="_reload"/>
  <s:messages/>
  <entry>
    <title>bucketdir</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/commands/bucketdir</id>
    <updated>2011-07-07T00:52:26-07:00</updated>
    <link href="/servicesNS/nobody/search/data/commands/bucketdir" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/commands/bucketdir" rel="list"/>
    <link href="/servicesNS/nobody/search/data/commands/bucketdir/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/commands/bucketdir/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="changes_colorder">1</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="enableheader">1</s:key>
        <s:key name="filename">bucketdir.py</s:key>
        <s:key name="generates_timeorder">0</s:key>
        <s:key name="generating">0</s:key>
        <s:key name="maxinputs">50000</s:key>
        <s:key name="outputheader">0</s:key>
        <s:key name="passauth">0</s:key>
        <s:key name="required_fields">*</s:key>
        <s:key name="requires_preop">0</s:key>
        <s:key name="retainsevents">0</s:key>
        <s:key name="streaming">0</s:key>
        <s:key name="supports_getinfo">0</s:key>
        <s:key name="supports_rawargs">1</s:key>
        <s:key name="type">python</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/commands/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/commands/input
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>commandsconf</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/commands</id>
  <updated>2011-07-07T00:52:26-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/commands/_reload" rel="_reload"/>
  <s:messages/>
  <entry>
    <title>input</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/commands/input</id>
    <updated>2011-07-07T00:52:26-07:00</updated>
    <link href="/servicesNS/nobody/search/data/commands/input" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/commands/input" rel="list"/>
    <link href="/servicesNS/nobody/search/data/commands/input/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/commands/input/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="changes_colorder">1</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="enableheader">1</s:key>
        <s:key name="filename">input.py</s:key>
        <s:key name="generates_timeorder">0</s:key>
        <s:key name="generating">0</s:key>
        <s:key name="maxinputs">50000</s:key>
        <s:key name="outputheader">0</s:key>
        <s:key name="passauth">1</s:key>
        <s:key name="required_fields">*</s:key>
        <s:key name="requires_preop">0</s:key>
        <s:key name="retainsevents">0</s:key>
        <s:key name="streaming">0</s:key>
        <s:key name="supports_getinfo">0</s:key>
        <s:key name="supports_rawargs">1</s:key>
        <s:key name="type">python</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/searches GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/saved/searches
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>savedsearch</title>
  <id>https://localhost:8089/services/saved/searches</id>
  <updated>2011-07-13T11:56:35-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/saved/searches/_new" rel="create"/>
  <link href="/services/saved/searches/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>Errors in the last 24 hours</title>
    <id>https://localhost:8089/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours</id>
    <updated>2011-07-13T11:56:35-07:00</updated>
    <link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours" rel="list"/>
    <link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours" rel="edit"/>
    <link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours/disable" rel="disable"/>
    <link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours/dispatch" rel="dispatch"/>
    <link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours/history" rel="history"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="action.email">0</s:key>
        <s:key name="action.email.reportServerEnabled">0</s:key>
        <s:key name="action.email.sendresults"/>
        <s:key name="action.email.to"/>
        <s:key name="action.populate_lookup">0</s:key>
        <s:key name="action.rss">0</s:key>
        <s:key name="action.script">0</s:key>
        <s:key name="action.summary_index">0</s:key>
        <s:key name="alert.digest_mode">1</s:key>
        <s:key name="alert.expires">24h</s:key>
        <s:key name="alert.severity">3</s:key>
        <s:key name="alert.suppress"/>
        <s:key name="alert.suppress.period"/>
        <s:key name="alert.track">auto</s:key>
        <s:key name="alert_comparator"/>
        <s:key name="alert_condition"/>
        <s:key name="alert_threshold"/>
        <s:key name="alert_type">always</s:key>
        <s:key name="cron_schedule"/>
        <s:key name="description"/>
        <s:key name="disabled">0</s:key>
        <s:key name="dispatch.buckets">0</s:key>
        <s:key name="dispatch.earliest_time">-1d</s:key>
        <s:key name="dispatch.latest_time"/>
        <s:key name="dispatch.lookups">1</s:key>
        <s:key name="dispatch.max_count">500000</s:key>
        <s:key name="dispatch.max_time">0</s:key>
        <s:key name="dispatch.reduce_freq">10</s:key>
        <s:key name="dispatch.spawn_process">1</s:key>
        <s:key name="dispatch.time_format">%FT%T.%Q%:z</s:key>
        <s:key name="dispatch.ttl">2p</s:key>
        <s:key name="displayview"/>
        <!-- eai:acl elided -->
        <s:key name="is_scheduled">0</s:key>
        <s:key name="is_visible">1</s:key>
        <s:key name="max_concurrent">1</s:key>
        <s:key name="next_scheduled_time"/>
        <s:key name="qualifiedSearch">search  error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )</s:key>
        <s:key name="realtime_schedule">1</s:key>
        <s:key name="request.ui_dispatch_app"/>
        <s:key name="request.ui_dispatch_view"/>
        <s:key name="restart_on_searchpeer_add">1</s:key>
        <s:key name="run_on_startup">0</s:key>
        <s:key name="search">error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )</s:key>
        <s:key name="vsid">*:75qh2fwx</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/searches POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches -d name=MySavedSearch --data-urlencode search="index=_internal source=*metrics.log"
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>savedsearch</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
  <updated>2011-12-09T09:10:21-08:00</updated>
  <generator version="108769"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>MySavedSearch</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch</id>
    <updated>2011-12-09T09:10:21-08:00</updated>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <!-- opensearch nodes elided for brevity. -->
    <content type="text/xml">
      <s:dict>
        <s:key name="action.email">0</s:key>
        <s:key name="action.email.auth_password">$1$o2rN8S6m+0YB</s:key>
        <s:key name="action.email.auth_username">myusername</s:key>
        <s:key name="action.email.bcc"></s:key>
        <s:key name="action.email.cc"></s:key>
        <s:key name="action.email.command"><![CDATA[$action.email.preprocess_results{default=""}$
          | sendemail "server=$action.email.mailserver{default=localhost}$"
          "use_ssl=$action.email.use_ssl{default=false}$"
          "use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$"
          "cc=$action.email.cc$" "bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$"
          "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$"
          "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$"
          "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
          "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
          "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$"
          maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]>
        </s:key>
        <s:key name="action.email.format">html</s:key>
        <s:key name="action.email.from">splunk</s:key>
        <s:key name="action.email.hostname"></s:key>
        <s:key name="action.email.inline">0</s:key>
        <s:key name="action.email.mailserver">localhost</s:key>
        <s:key name="action.email.maxresults">10000</s:key>
        <s:key name="action.email.maxtime">5m</s:key>
        <s:key name="action.email.pdfview"></s:key>
        <s:key name="action.email.preprocess_results"></s:key>
        <s:key name="action.email.reportPaperOrientation">portrait</s:key>
        <s:key name="action.email.reportPaperSize">letter</s:key>
        <s:key name="action.email.reportServerEnabled">1</s:key>
        <s:key name="action.email.reportServerURL"></s:key>
        <s:key name="action.email.sendpdf">0</s:key>
        <s:key name="action.email.sendresults">0</s:key>
        <s:key name="action.email.subject">Splunk Alert: $name$</s:key>
        <s:key name="action.email.to"></s:key>
        <s:key name="action.email.track_alert">1</s:key>
        <s:key name="action.email.ttl">86400</s:key>
        <s:key name="action.email.use_ssl">0</s:key>
        <s:key name="action.email.use_tls">0</s:key>
        <s:key name="action.populate_lookup">0</s:key>
        <s:key name="action.populate_lookup.command">copyresults dest="$action.populate_lookup.dest$"  sid="$search_id$"</s:key>
        <s:key name="action.populate_lookup.dest"></s:key>
        <s:key name="action.populate_lookup.hostname"></s:key>
        <s:key name="action.populate_lookup.maxresults">10000</s:key>
        <s:key name="action.populate_lookup.maxtime">5m</s:key>
        <s:key name="action.populate_lookup.track_alert">0</s:key>
        <s:key name="action.populate_lookup.ttl">120</s:key>
        <s:key name="action.rss">0</s:key>
        <s:key name="action.rss.command">createrss "path=$name$.xml" "name=$name$" "link=$results.url$" "descr=Alert trigger:
          $name$, results.count=$results.count$ " "count=30" "graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"
        </s:key>
        <s:key name="action.rss.hostname"></s:key>
        <s:key name="action.rss.maxresults">10000</s:key>
        <s:key name="action.rss.maxtime">1m</s:key>
        <s:key name="action.rss.track_alert">0</s:key>
        <s:key name="action.rss.ttl">86400</s:key>
        <s:key name="action.script">0</s:key>
        <s:key name="action.script.command">runshellscript "$action.script.filename$" "$results.count$" "$search$" "$search$" "$name$"
          "Saved Search [$name$] $counttype$($results.count$)" "$results.url$" "$deprecated_arg$" "$search_id$" "$results.file$"
          maxtime="$action.script.maxtime{default=5m}$"
        </s:key>
        <s:key name="action.script.filename"></s:key>
        <s:key name="action.script.hostname"></s:key>
        <s:key name="action.script.maxresults">10000</s:key>
        <s:key name="action.script.maxtime">5m</s:key>
        <s:key name="action.script.track_alert">1</s:key>
        <s:key name="action.script.ttl">600</s:key>
        <s:key name="action.summary_index">0</s:key>
        <s:key name="action.summary_index._name">summary</s:key>
        <s:key name="action.summary_index.command"><![CDATA[summaryindex spool=t uselb=t addtime=t index="$action.summary_index._name{required=yes}$"
          file="$name$_$#random$.stash_new" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\",
          key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|track_alert|(?:_.*))$)(.*)"}$"]]>
        </s:key>
        <s:key name="action.summary_index.hostname"></s:key>
        <s:key name="action.summary_index.inline">1</s:key>
        <s:key name="action.summary_index.maxresults">10000</s:key>
        <s:key name="action.summary_index.maxtime">5m</s:key>
        <s:key name="action.summary_index.track_alert">0</s:key>
        <s:key name="action.summary_index.ttl">120</s:key>
        <s:key name="alert.digest_mode">1</s:key>
        <s:key name="alert.expires">24h</s:key>
        <s:key name="alert.severity">3</s:key>
        <s:key name="alert.suppress"></s:key>
        <s:key name="alert.suppress.fields"></s:key>
        <s:key name="alert.suppress.period"></s:key>
        <s:key name="alert.track">auto</s:key>
        <s:key name="alert_comparator"></s:key>
        <s:key name="alert_condition"></s:key>
        <s:key name="alert_threshold"></s:key>
        <s:key name="alert_type">always</s:key>
        <s:key name="cron_schedule"></s:key>
        <s:key name="description"></s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="dispatch.buckets">0</s:key>
        <s:key name="dispatch.earliest_time"></s:key>
        <s:key name="dispatch.latest_time"></s:key>
        <s:key name="dispatch.lookups">1</s:key>
        <s:key name="dispatch.max_count">500000</s:key>
        <s:key name="dispatch.max_time">0</s:key>
        <s:key name="dispatch.reduce_freq">10</s:key>
        <s:key name="dispatch.rt_backfill">0</s:key>
        <s:key name="dispatch.spawn_process">1</s:key>
        <s:key name="dispatch.time_format">%FT%T.%Q%:z</s:key>
        <s:key name="dispatch.ttl">2p</s:key>
        <s:key name="displayview"></s:key>
        <!-- eai:acl elided -->
        <s:key name="is_scheduled">0</s:key>
        <s:key name="is_visible">1</s:key>
        <s:key name="max_concurrent">1</s:key>
        <s:key name="next_scheduled_time"></s:key>
        <s:key name="qualifiedSearch">search  index=_internal source=*metrics.log</s:key>
        <s:key name="realtime_schedule">1</s:key>
        <s:key name="request.ui_dispatch_app"></s:key>
        <s:key name="request.ui_dispatch_view"></s:key>
        <s:key name="restart_on_searchpeer_add">1</s:key>
        <s:key name="run_on_startup">0</s:key>
        <s:key name="search">index=_internal source=*metrics.log</s:key>
        <s:key name="vsid"></s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/searches/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>savedsearch</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
  <updated>2011-07-13T12:09:05-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

saved/searches/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>savedsearch</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
  <updated>2011-07-13T11:57:54-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>MySavedSearch</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch</id>
    <updated>2011-07-13T11:57:54-07:00</updated>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="list"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/disable" rel="disable"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch" rel="dispatch"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/history" rel="history"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="action.email">0</s:key>
        <s:key name="action.email.auth_password"/>
        <s:key name="action.email.auth_username"/>
        <s:key name="action.email.bcc"/>
        <s:key name="action.email.cc"/>
        <s:key name="action.email.command">
      <![CDATA[$action.email.preprocess_results{default=""}$
     | sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$"
      "use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$"
      "bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$"
      "format=$action.email.format{default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)"
      "sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
      "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
      "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$"
      maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]>
        </s:key>
        <s:key name="action.email.format">html</s:key>
        <s:key name="action.email.from">splunk</s:key>
        <s:key name="action.email.hostname"/>
        <s:key name="action.email.inline">0</s:key>
        <s:key name="action.email.mailserver">localhost</s:key>
        <s:key name="action.email.maxresults">10000</s:key>
        <s:key name="action.email.maxtime">5m</s:key>
        <s:key name="action.email.preprocess_results"/>
        <s:key name="action.email.reportPaperOrientation">portrait</s:key>
        <s:key name="action.email.reportPaperSize">letter</s:key>
        <s:key name="action.email.reportServerEnabled">0</s:key>
        <s:key name="action.email.reportServerURL"/>
        <s:key name="action.email.sendpdf">0</s:key>
        <s:key name="action.email.sendresults">0</s:key>
        <s:key name="action.email.subject">Splunk Alert: $name$</s:key>
        <s:key name="action.email.to"/>
        <s:key name="action.email.track_alert">1</s:key>
        <s:key name="action.email.ttl">86400</s:key>
        <s:key name="action.email.use_ssl">0</s:key>
        <s:key name="action.email.use_tls">0</s:key>
        <s:key name="action.populate_lookup">0</s:key>
        <s:key name="action.populate_lookup.command">
          copyresults dest="$action.populate_lookup.dest$"  sid="$search_id$"
        </s:key>
        <s:key name="action.populate_lookup.hostname"/>
        <s:key name="action.populate_lookup.maxresults">10000</s:key>
        <s:key name="action.populate_lookup.maxtime">5m</s:key>
        <s:key name="action.populate_lookup.track_alert">0</s:key>
        <s:key name="action.populate_lookup.ttl">120</s:key>
        <s:key name="action.rss">0</s:key>
        <s:key name="action.rss.command">
          createrss "path=$name$.xml" "name=$name$" "link=$results.url$"
          "descr=Alert trigger: $name$, results.count=$results.count$ " "count=30"
          "graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"
        </s:key>
        <s:key name="action.rss.hostname"/>
        <s:key name="action.rss.maxresults">10000</s:key>
        <s:key name="action.rss.maxtime">1m</s:key>
        <s:key name="action.rss.track_alert">0</s:key>
        <s:key name="action.rss.ttl">86400</s:key>
        <s:key name="action.script">0</s:key>
        <s:key name="action.script.command">runshellscript "$action.script.filename$"
          "$results.count$" "$search$" "$search$" "$name$"
          "Saved Search [$name$] $counttype$($results.count$)" "$results.url$"
          "$deprecated_arg$" "$search_id$"
          maxtime="$action.script.maxtime{default=5m}$"
        </s:key>
        <s:key name="action.script.hostname"/>
        <s:key name="action.script.maxresults">10000</s:key>
        <s:key name="action.script.maxtime">5m</s:key>
        <s:key name="action.script.track_alert">1</s:key>
        <s:key name="action.script.ttl">600</s:key>
        <s:key name="action.summary_index">0</s:key>
        <s:key name="action.summary_index._name">summary</s:key>
        <s:key name="action.summary_index.command">
          <![CDATA[summaryindex spool=t uselb=t addtime=t index="$action.summary_index._name{required=yes}$"
          file="$name$_$#random$.stash_new" name="$name$"
          marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\",
            key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|track_alert|(?:_.*))$)(.*)"}$"]]>
        </s:key>
        <s:key name="action.summary_index.hostname"/>
        <s:key name="action.summary_index.inline">1</s:key>
        <s:key name="action.summary_index.maxresults">10000</s:key>
        <s:key name="action.summary_index.maxtime">5m</s:key>
        <s:key name="action.summary_index.track_alert">0</s:key>
        <s:key name="action.summary_index.ttl">120</s:key>
        <s:key name="alert.digest_mode">1</s:key>
        <s:key name="alert.expires">24h</s:key>
        <s:key name="alert.severity">3</s:key>
        <s:key name="alert.suppress"/>
        <s:key name="alert.suppress.period"/>
        <s:key name="alert.track">auto</s:key>
        <s:key name="alert_comparator"/>
        <s:key name="alert_condition"/>
        <s:key name="alert_threshold"/>
        <s:key name="alert_type">always</s:key>
        <s:key name="cron_schedule"/>
        <s:key name="description"/>
        <s:key name="disabled">0</s:key>
        <s:key name="dispatch.buckets">0</s:key>
        <s:key name="dispatch.earliest_time"/>
        <s:key name="dispatch.latest_time"/>
        <s:key name="dispatch.lookups">1</s:key>
        <s:key name="dispatch.max_count">500000</s:key>
        <s:key name="dispatch.max_time">0</s:key>
        <s:key name="dispatch.reduce_freq">10</s:key>
        <s:key name="dispatch.spawn_process">1</s:key>
        <s:key name="dispatch.time_format">%FT%T.%Q%:z</s:key>
        <s:key name="dispatch.ttl">2p</s:key>
        <s:key name="displayview"/>
        <!-- eai:acl elided -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>action.email</s:item>
                <s:item>action.email.auth_password</s:item>
                <s:item>action.email.auth_username</s:item>
                <s:item>action.email.bcc</s:item>
                <s:item>action.email.cc</s:item>
                <s:item>action.email.command</s:item>
                <s:item>action.email.format</s:item>
                <s:item>action.email.from</s:item>
                <s:item>action.email.hostname</s:item>
                <s:item>action.email.inline</s:item>
                <s:item>action.email.mailserver</s:item>
                <s:item>action.email.maxresults</s:item>
                <s:item>action.email.maxtime</s:item>
                <s:item>action.email.preprocess_results</s:item>
                <s:item>action.email.reportPaperOrientation</s:item>
                <s:item>action.email.reportPaperSize</s:item>
                <s:item>action.email.reportServerEnabled</s:item>
                <s:item>action.email.reportServerURL</s:item>
                <s:item>action.email.sendpdf</s:item>
                <s:item>action.email.sendresults</s:item>
                <s:item>action.email.subject</s:item>
                <s:item>action.email.to</s:item>
                <s:item>action.email.track_alert</s:item>
                <s:item>action.email.ttl</s:item>
                <s:item>action.email.use_ssl</s:item>
                <s:item>action.email.use_tls</s:item>
                <s:item>action.populate_lookup</s:item>
                <s:item>action.populate_lookup.command</s:item>
                <s:item>action.populate_lookup.hostname</s:item>
                <s:item>action.populate_lookup.maxresults</s:item>
                <s:item>action.populate_lookup.maxtime</s:item>
                <s:item>action.populate_lookup.track_alert</s:item>
                <s:item>action.populate_lookup.ttl</s:item>
                <s:item>action.rss</s:item>
                <s:item>action.rss.command</s:item>
                <s:item>action.rss.hostname</s:item>
                <s:item>action.rss.maxresults</s:item>
                <s:item>action.rss.maxtime</s:item>
                <s:item>action.rss.track_alert</s:item>
                <s:item>action.rss.ttl</s:item>
                <s:item>action.script</s:item>
                <s:item>action.script.command</s:item>
                <s:item>action.script.hostname</s:item>
                <s:item>action.script.maxresults</s:item>
                <s:item>action.script.maxtime</s:item>
                <s:item>action.script.track_alert</s:item>
                <s:item>action.script.ttl</s:item>
                <s:item>action.summary_index</s:item>
                <s:item>action.summary_index._name</s:item>
                <s:item>action.summary_index.command</s:item>
                <s:item>action.summary_index.hostname</s:item>
                <s:item>action.summary_index.inline</s:item>
                <s:item>action.summary_index.maxresults</s:item>
                <s:item>action.summary_index.maxtime</s:item>
                <s:item>action.summary_index.track_alert</s:item>
                <s:item>action.summary_index.ttl</s:item>
                <s:item>actions</s:item>
                <s:item>alert.digest_mode</s:item>
                <s:item>alert.expires</s:item>
                <s:item>alert.severity</s:item>
                <s:item>alert.suppress</s:item>
                <s:item>alert.suppress.period</s:item>
                <s:item>alert.track</s:item>
                <s:item>alert_comparator</s:item>
                <s:item>alert_condition</s:item>
                <s:item>alert_threshold</s:item>
                <s:item>alert_type</s:item>
                <s:item>cron_schedule</s:item>
                <s:item>description</s:item>
                <s:item>disabled</s:item>
                <s:item>dispatch.buckets</s:item>
                <s:item>dispatch.earliest_time</s:item>
                <s:item>dispatch.latest_time</s:item>
                <s:item>dispatch.lookups</s:item>
                <s:item>dispatch.max_count</s:item>
                <s:item>dispatch.max_time</s:item>
                <s:item>dispatch.reduce_freq</s:item>
                <s:item>dispatch.spawn_process</s:item>
                <s:item>dispatch.time_format</s:item>
                <s:item>dispatch.ttl</s:item>
                <s:item>displayview</s:item>
                <s:item>is_scheduled</s:item>
                <s:item>is_visible</s:item>
                <s:item>max_concurrent</s:item>
                <s:item>next_scheduled_time</s:item>
                <s:item>qualifiedSearch</s:item>
                <s:item>realtime_schedule</s:item>
                <s:item>request.ui_dispatch_app</s:item>
                <s:item>request.ui_dispatch_view</s:item>
                <s:item>restart_on_searchpeer_add</s:item>
                <s:item>run_on_startup</s:item>
                <s:item>vsid</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>search</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>action\..*</s:item>
                <s:item>args\..*</s:item>
                <s:item>dispatch\..*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="is_scheduled">0</s:key>
        <s:key name="is_visible">1</s:key>
        <s:key name="max_concurrent">1</s:key>
        <s:key name="next_scheduled_time"/>
        <s:key name="qualifiedSearch">search  index</s:key>
        <s:key name="realtime_schedule">1</s:key>
        <s:key name="request.ui_dispatch_app"/>
        <s:key name="request.ui_dispatch_view"/>
        <s:key name="restart_on_searchpeer_add">1</s:key>
        <s:key name="run_on_startup">0</s:key>
        <s:key name="search">index</s:key>
        <s:key name="vsid"/>
      </s:dict>
    </content>
  </entry>
</feed>

saved/searches/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch -d actions=email -d action.email.to="nobody@example.com, info@example.com" -d search="my search here"
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>savedsearch</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
  <updated>2011-07-26T18:20:14-04:00</updated>
  <generator version="104601"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>MySavedSearch</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch</id>
    <updated>2011-07-26T18:20:14-04:00</updated>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="list"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/disable" rel="disable"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch" rel="dispatch"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/history" rel="history"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="action.email">1</s:key>
        <s:key name="action.email.auth_password"></s:key>
        <s:key name="action.email.auth_username"></s:key>
        <s:key name="action.email.bcc"></s:key>
        <s:key name="action.email.cc"></s:key>
        <s:key name="action.email.command">
          <![CDATA[$action.email.preprocess_results{default=""}$ |
                    sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$"
                    "use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$"
                    "bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$"
                    "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$"
                    "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$"
                    "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
                    "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
                    "pdfview=$action.email.pdfview$" "searchid=$search_id$"
                    "graceful=$graceful{default=True}$" maxinputs="$action.email.maxresults{default=10000}$"
                    maxtime="$action.email.maxtime{default=5m}$"]]>
        </s:key>
        <s:key name="action.email.format">html</s:key>
        <s:key name="action.email.from">splunk</s:key>
        <s:key name="action.email.hostname"></s:key>
        <s:key name="action.email.inline">0</s:key>
        <s:key name="action.email.mailserver">localhost</s:key>
        <s:key name="action.email.maxresults">10000</s:key>
        <s:key name="action.email.maxtime">5m</s:key>
        <s:key name="action.email.preprocess_results"></s:key>
        <s:key name="action.email.reportPaperOrientation">portrait</s:key>
        <s:key name="action.email.reportPaperSize">letter</s:key>
        <s:key name="action.email.reportServerEnabled">0</s:key>
        <s:key name="action.email.reportServerURL"></s:key>
        <s:key name="action.email.sendpdf">0</s:key>
        <s:key name="action.email.sendresults">0</s:key>
        <s:key name="action.email.subject">Splunk Alert: $name$</s:key>
        <s:key name="action.email.to">nobody@example.com,info@example.com</s:key>
        <s:key name="action.email.track_alert">1</s:key>
        <s:key name="action.email.ttl">86400</s:key>
        <s:key name="action.email.use_ssl">0</s:key>
        <s:key name="action.email.use_tls">0</s:key>
        <s:key name="action.populate_lookup">0</s:key>
        <s:key name="action.populate_lookup.command">copyresults dest="$action.populate_lookup.dest$"  sid="$search_id$"</s:key>
        <s:key name="action.populate_lookup.hostname"></s:key>
        <s:key name="action.populate_lookup.maxresults">10000</s:key>
        <s:key name="action.populate_lookup.maxtime">5m</s:key>
        <s:key name="action.populate_lookup.track_alert">0</s:key>
        <s:key name="action.populate_lookup.ttl">120</s:key>
        <s:key name="action.rss">0</s:key>
        <s:key name="action.rss.command">createrss "path=$name$.xml" "name=$name$" "link=$results.url$" "descr=Alert trigger: $name$, results.count=$results.count$ " "count=30" "graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"</s:key>
        <s:key name="action.rss.hostname"></s:key>
        <s:key name="action.rss.maxresults">10000</s:key>
        <s:key name="action.rss.maxtime">1m</s:key>
        <s:key name="action.rss.track_alert">0</s:key>
        <s:key name="action.rss.ttl">86400</s:key>
        <s:key name="action.script">0</s:key>
        <s:key name="action.script.command">runshellscript "$action.script.filename$" "$results.count$" "$search$" "$search$" "$name$" "Saved Search [$name$] $counttype$($results.count$)" "$results.url$" "$deprecated_arg$" "$search_id$" "$results.file$" maxtime="$action.script.maxtime{default=5m}$"</s:key>
        <s:key name="action.script.hostname"></s:key>
        <s:key name="action.script.maxresults">10000</s:key>
        <s:key name="action.script.maxtime">5m</s:key>
        <s:key name="action.script.track_alert">1</s:key>
        <s:key name="action.script.ttl">600</s:key>
        <s:key name="action.summary_index">0</s:key>
        <s:key name="action.summary_index._name">summary</s:key>
        <s:key name="action.summary_index.command"><![CDATA[summaryindex spool=t uselb=t addtime=t index="$action.summary_index._name{required=yes}$" file="$name$_$#random$.stash_new" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|track_alert|(?:_.*))$)(.*)"}$"]]></s:key>
        <s:key name="action.summary_index.hostname"></s:key>
        <s:key name="action.summary_index.inline">1</s:key>
        <s:key name="action.summary_index.maxresults">10000</s:key>
        <s:key name="action.summary_index.maxtime">5m</s:key>
        <s:key name="action.summary_index.track_alert">0</s:key>
        <s:key name="action.summary_index.ttl">120</s:key>
        <s:key name="actions">email</s:key>
        <s:key name="alert.digest_mode">1</s:key>
        <s:key name="alert.expires">24h</s:key>
        <s:key name="alert.severity">3</s:key>
        <s:key name="alert.suppress"></s:key>
        <s:key name="alert.suppress.period"></s:key>
        <s:key name="alert.track">auto</s:key>
        <s:key name="alert_comparator"></s:key>
        <s:key name="alert_condition"></s:key>
        <s:key name="alert_threshold"></s:key>
        <s:key name="alert_type">always</s:key>
        <s:key name="cron_schedule"></s:key>
        <s:key name="description"></s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="dispatch.buckets">0</s:key>
        <s:key name="dispatch.earliest_time"></s:key>
        <s:key name="dispatch.latest_time"></s:key>
        <s:key name="dispatch.lookups">1</s:key>
        <s:key name="dispatch.max_count">500000</s:key>
        <s:key name="dispatch.max_time">0</s:key>
        <s:key name="dispatch.reduce_freq">10</s:key>
        <s:key name="dispatch.rt_backfill">0</s:key>
        <s:key name="dispatch.spawn_process">1</s:key>
        <s:key name="dispatch.time_format">%FT%T.%Q%:z</s:key>
        <s:key name="dispatch.ttl">2p</s:key>
        <s:key name="displayview"></s:key>
        <!-- eai:acl elided -->
        <s:key name="is_scheduled">0</s:key>
        <s:key name="is_visible">1</s:key>
        <s:key name="max_concurrent">1</s:key>
        <s:key name="next_scheduled_time"></s:key>
        <s:key name="qualifiedSearch">search  my seach here</s:key>
        <s:key name="realtime_schedule">1</s:key>
        <s:key name="request.ui_dispatch_app"></s:key>
        <s:key name="request.ui_dispatch_view"></s:key>
        <s:key name="restart_on_searchpeer_add">1</s:key>
        <s:key name="run_on_startup">0</s:key>
        <s:key name="search">my search here</s:key>
        <s:key name="vsid"></s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/searches/{name}/acknowledge POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MyAlert/acknowledge -X POST
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>savedsearch</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
  <updated>2011-07-26T18:31:07-04:00</updated>
  <generator version="104601"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

saved/searches/{name}/dispatch POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch -d trigger_actions=1
XML Response

<?xml version='1.0' encoding='UTF-8'?>
<response><sid>admin__admin__search__MySavedSearch_at_1311797437_d831d980832e3e89</sid></response>

saved/searches/{name}/history GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/history
    
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>MySavedSearch</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
  <updated>2011-07-26T18:13:20-04:00</updated>
  <generator version="104601"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
  <opensearch:totalResults>2</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2</title>
    <id>https://localhost:8089/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2</id>
    <updated>2011-07-26T18:13:18-04:00</updated>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <published>2011-07-26T18:13:01-04:00</published>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2" rel="list"/>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2" rel="edit"/>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl elided -->
        <s:key name="isDone">1</s:key>
        <s:key name="isFinalized">0</s:key>
        <s:key name="isRealTimeSearch">0</s:key>
        <s:key name="isSaved">0</s:key>
        <s:key name="isScheduled">1</s:key>
        <s:key name="isZombie">0</s:key>
        <s:key name="ttl">86382</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b</title>
    <id>https://localhost:8089/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b</id>
    <updated>2011-07-26T17:51:23-04:00</updated>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <published>2011-07-26T17:51:01-04:00</published>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b" rel="list"/>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b" rel="edit"/>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl elided -->
        <s:key name="isDone">1</s:key>
        <s:key name="isFinalized">0</s:key>
        <s:key name="isRealTimeSearch">0</s:key>
        <s:key name="isSaved">0</s:key>
        <s:key name="isScheduled">1</s:key>
        <s:key name="isZombie">0</s:key>
        <s:key name="ttl">85062</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/searches/{name}/reschedule POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/saved/searches/Purchased%20products%2C%20last%2024%20hours/reschedule -d schedule_time=2012-08-15T14:11:01Z
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>savedsearch</title>
  <id>https://localhost:8089/services/saved/searches</id>
  <updated>2012-07-27T11:21:43-07:00</updated>
  <generator build="131547" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/saved/searches/_new" rel="create"/>
  <link href="/services/saved/searches/_reload" rel="_reload"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

saved/searches/{name}/scheduled_times GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/saved/searches/_ScheduledView__dashboard_live/scheduled_times --get -d earliest_time=-5h -d latest_time=-3h
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>savedsearch</title>
  <id>https://localhost:8089/services/saved/searches</id>
  <updated>2011-12-02T11:12:55-08:00</updated>
  <generator version="108769"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/saved/searches/_new" rel="create"/>
  <link href="/services/saved/searches/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>_ScheduledView__dashboard_live</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/searches/_ScheduledView__dashboard_live</id>
    <updated>2011-12-02T11:12:55-08:00</updated>
    <link href="/servicesNS/admin/search/saved/searches/_ScheduledView__dashboard_live" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <!-- opensearch nodes elided for brevity. -->
    <content type="text/xml">
      <s:dict>
        <s:key name="action.email">1</s:key>
        <s:key name="action.email.auth_password">$1$o2rN8S6m+0YB</s:key>
        <s:key name="action.email.auth_username">myusername</s:key>
        . . . elided . . .
        <s:key name="action.email.pdfview">dashboard_live</s:key>
        . . . elided . . .
        <s:key name="action.email.subject">Splunk Alert: $name$</s:key>
        <s:key name="action.email.to">myusername@example.com</s:key>
        . . . elided . . .
         <s:key name="action.summary_index">0</s:key>
        <s:key name="action.summary_index._name">summary</s:key>
        . . . elided . . .
        <s:key name="actions">email</s:key>
        <s:key name="alert.digest_mode">1</s:key>
        <s:key name="alert.expires">24h</s:key>
        <s:key name="alert.severity">3</s:key>
        <s:key name="alert.suppress"></s:key>
        <s:key name="alert.suppress.fields"></s:key>
        <s:key name="alert.suppress.period"></s:key>
        <s:key name="alert.track">auto</s:key>
        <s:key name="alert_comparator"></s:key>
        <s:key name="alert_condition"></s:key>
        <s:key name="alert_threshold"></s:key>
        <s:key name="alert_type">always</s:key>
        <s:key name="cron_schedule">*/30 * * * *</s:key>
        <s:key name="description">scheduled search for view name=dashboard_live</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="dispatch.buckets">0</s:key>
        <s:key name="dispatch.earliest_time">1</s:key>
        <s:key name="dispatch.latest_time">2</s:key>
        <s:key name="dispatch.lookups">1</s:key>
        <s:key name="dispatch.max_count">500000</s:key>
        <s:key name="dispatch.max_time">0</s:key>
        . . . elided . . .
        <!-- eai:acl elided -->
        <s:key name="is_scheduled">1</s:key>
        <s:key name="is_visible">0</s:key>
        <s:key name="max_concurrent">1</s:key>
        <s:key name="next_scheduled_time">2011-12-02 11:30:00 PST</s:key>
        <s:key name="qualifiedSearch"> noop</s:key>
        <s:key name="realtime_schedule">1</s:key>
        <s:key name="request.ui_dispatch_app"></s:key>
        <s:key name="request.ui_dispatch_view"></s:key>
        <s:key name="restart_on_searchpeer_add">1</s:key>
        <s:key name="run_on_startup">0</s:key>
        <s:key name="scheduled_times"><s:list><s:item>1322836200</s:item><s:item>1322838000</s:item><s:item>1322839800</s:item><s:item>1322841600</s:item></s:list></s:key>
        <s:key name="search">| noop</s:key>
        <s:key name="vsid"></s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/searches/{name}/suppress GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/suppress
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>savedsearch</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
  <updated>2011-07-26T18:22:51-04:00</updated>
  <generator version="104601"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>MySavedSearch</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch</id>
    <updated>2011-07-26T18:22:51-04:00</updated>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="list"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl elided -->
        <s:key name="expiration">13811</s:key>
        <s:key name="suppressed">1</s:key>
        <s:key name="suppressionKey">admin;search;MySavedSearch;;</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

scheduled/views GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/scheduled/views
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>scheduledviews</title>
  <id>https://localhost:8089/servicesNS/admin/search/admin/scheduledviews</id>
  <updated>2011-07-27T16:27:55-04:00</updated>
  <generator version="104601"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/admin/scheduledviews/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>_ScheduledView__MyView</title>
    <id>https://localhost:8089/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView</id>
    <updated>2011-07-27T16:27:55-04:00</updated>
    <link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView" rel="list"/>
    <link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView" rel="edit"/>
    <link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView" rel="remove"/>
    <link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/move" rel="move"/>
    <link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/disable" rel="disable"/>
    <link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/dispatch" rel="dispatch"/>
    <link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/history" rel="history"/>
    <link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/notify" rel="notify"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="action.email">1</s:key>
        <s:key name="action.email.pdfview">MyView</s:key>
        <s:key name="action.email.sendpdf">1</s:key>
        <s:key name="action.email.sendresults"></s:key>
        <s:key name="action.email.to">email@example.com</s:key>
        <s:key name="action.email.ttl">10</s:key>
        <s:key name="cron_schedule">* * * * *</s:key>
        <s:key name="description">scheduled search for view name=MyView</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl elided -->
        <s:key name="is_scheduled">1</s:key>
        <s:key name="next_scheduled_time">2011-07-27 16:28:00 EDT</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

scheduled/views/{name} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/scheduled/views/MyView
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>scheduledviews</title>
  <id>https://localhost:8089/servicesNS/admin/search/admin/scheduledviews</id>
  <updated>2011-07-27T16:16:02-04:00</updated>
  <generator version="104601"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/admin/scheduledviews/_reload" rel="_reload"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

scheduled/views/{name} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/scheduled/views/MyView
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>scheduledviews</title>
  <id>https://localhost:8089/servicesNS/admin/search/scheduled/views</id>
  <updated>2011-07-27T17:12:11-04:00</updated>
  <generator version="104601"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/scheduled/views/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>_ScheduledView__MyView</title>
    <id>https://localhost:8089/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView</id>
    <updated>2011-07-27T17:12:11-04:00</updated>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="list"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="edit"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="remove"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/move" rel="move"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/disable" rel="disable"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/dispatch" rel="dispatch"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/history" rel="history"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/notify" rel="notify"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="action.email">1</s:key>
        <s:key name="action.email.auth_password"></s:key>
        <s:key name="action.email.auth_username"></s:key>
        <s:key name="action.email.bcc"></s:key>
        <s:key name="action.email.cc"></s:key>
        <s:key name="action.email.command">
          <![CDATA[$action.email.preprocess_results{default=""}$ |
                   sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$"
                   "use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$"
                   "bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$"
                   "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$"
                   "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$"
                   "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
                   "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
                   "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$"
                   maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]>
        </s:key>
        <s:key name="action.email.format">html</s:key>
        <s:key name="action.email.from">splunk</s:key>
        <s:key name="action.email.hostname"></s:key>
        <s:key name="action.email.inline">0</s:key>
        <s:key name="action.email.mailserver">localhost</s:key>
        <s:key name="action.email.maxresults">10000</s:key>
        <s:key name="action.email.maxtime">5m</s:key>
        <s:key name="action.email.pdfview">MyView</s:key>
        <s:key name="action.email.preprocess_results"></s:key>
        <s:key name="action.email.reportPaperOrientation">portrait</s:key>
        <s:key name="action.email.reportPaperSize">letter</s:key>
        <s:key name="action.email.reportServerEnabled">0</s:key>
        <s:key name="action.email.reportServerURL"></s:key>
        <s:key name="action.email.sendpdf">1</s:key>
        <s:key name="action.email.sendresults">0</s:key>
        <s:key name="action.email.subject">Splunk Alert: $name$</s:key>
        <s:key name="action.email.to">info@example.com</s:key>
        <s:key name="action.email.track_alert">1</s:key>
        <s:key name="action.email.ttl">10</s:key>
        <s:key name="action.email.use_ssl">0</s:key>
        <s:key name="action.email.use_tls">0</s:key>
        <s:key name="cron_schedule">* * * * *</s:key>
        <s:key name="description">scheduled search for view name=MyView</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl elided -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>description</s:item>
                <s:item>disabled</s:item>
                <s:item>next_scheduled_time</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>action.email.to</s:item>
                <s:item>cron_schedule</s:item>
                <s:item>is_scheduled</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list><s:item>action\.email.*</s:item></s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="is_scheduled">1</s:key>
        <s:key name="next_scheduled_time">2011-07-27 17:13:00 EDT</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

scheduled/views/{name} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/scheduled/views/MyVew -d action.email.to="info@example.com" -d cron_schedule="0 * * * *" -d is_scheduled=1 -d description="New description"
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>scheduledviews</title>
  <id>https://localhost:8089/servicesNS/admin/search/scheduled/views</id>
  <updated>2011-07-27T17:59:32-04:00</updated>
  <generator version="104601"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/scheduled/views/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>_ScheduledView__MyView</title>
    <id>https://localhost:8089/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView</id>
    <updated>2011-07-27T17:59:32-04:00</updated>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="list"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="edit"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="remove"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/move" rel="move"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/disable" rel="disable"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/dispatch" rel="dispatch"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/history" rel="history"/>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/notify" rel="notify"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="action.email">1</s:key>
        <s:key name="action.email.auth_password"></s:key>
        <s:key name="action.email.auth_username"></s:key>
        <s:key name="action.email.bcc"></s:key>
        <s:key name="action.email.cc"></s:key>
        <s:key name="action.email.command">
          <![CDATA[$action.email.preprocess_results{default=""}$ |
                   sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$"
                   "use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$"
                   "bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$"
                   "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$"
                   "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$"
                   "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
                   "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
                   "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$"
                   maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]>
        </s:key>
        <s:key name="action.email.format">html</s:key>
        <s:key name="action.email.from">splunk</s:key>
        <s:key name="action.email.hostname"></s:key>
        <s:key name="action.email.inline">0</s:key>
        <s:key name="action.email.mailserver">localhost</s:key>
        <s:key name="action.email.maxresults">10000</s:key>
        <s:key name="action.email.maxtime">5m</s:key>
        <s:key name="action.email.pdfview">MyView</s:key>
        <s:key name="action.email.preprocess_results"></s:key>
        <s:key name="action.email.reportPaperOrientation">portrait</s:key>
        <s:key name="action.email.reportPaperSize">letter</s:key>
        <s:key name="action.email.reportServerEnabled">0</s:key>
        <s:key name="action.email.reportServerURL"></s:key>
        <s:key name="action.email.sendpdf">1</s:key>
        <s:key name="action.email.sendresults">0</s:key>
        <s:key name="action.email.subject">Splunk Alert: $name$</s:key>
        <s:key name="action.email.to">info@example.com</s:key>
        <s:key name="action.email.track_alert">1</s:key>
        <s:key name="action.email.ttl">10</s:key>
        <s:key name="action.email.use_ssl">0</s:key>
        <s:key name="action.email.use_tls">0</s:key>
        <s:key name="cron_schedule">0 * * * *</s:key>
        <s:key name="description">New Description</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl elided -->
        <s:key name="is_scheduled">1</s:key>
        <s:key name="next_scheduled_time">2011-07-27 18:00:00 EDT</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

scheduled/views/{name}/dispatch POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/scheduled/views/MyView/dispatch -d trigger_actions=1
    
XML Response
<?xml version='1.0' encoding='UTF-8'?>
<response><sid>admin__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311805021_c24ff1ea77ad714b</sid></response>

scheduled/views/{name}/history GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/scheduled/views/MyVew/history
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>_ScheduledView__MyView</title>
  <id>https://localhost:8089/servicesNS/admin/search/scheduled/views</id>
  <updated>2011-07-27T16:25:22-04:00</updated>
  <generator version="104601"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/scheduled/views/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a</title>
    <id>https://localhost:8089/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a</id>
    <updated>2011-07-27T16:25:15-04:00</updated>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <published>2011-07-27T16:25:15-04:00</published>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a" rel="list"/>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a" rel="edit"/>
    <link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl elided -->
      </s:dict>
    </content>
  </entry>
</feed>

scheduled/views/{name}/reschedule POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/scheduled/views/_ScheduledView__dashboard2/reschedule -d schedule_time=2013-02-15T14:11:01Z
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>scheduledviews</title>
  <id>https://localhost:8089/services/scheduled/views</id>
  <updated>2012-10-02T08:48:18-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/scheduled/views/_reload" rel="_reload"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

scheduled/views/{name}/scheduled_times GET

XML
XML Request

curl -k -u admin:admin https://localhost:8089/services/scheduled/views/_ScheduledView__dashboard_live/scheduled_times --get -d earliest_time=-5h -d latest_time=-3h
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>scheduledviews</title>
  <id>https://wma-mbp15:8089/services/scheduled/views</id>
  <updated>2011-12-01T14:40:18-08:00</updated>
  <generator version="112383"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/scheduled/views/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>_ScheduledView__dashboard_live</title>
    <id>https://wma-mbp15:8089/servicesNS/admin/search/scheduled/views/_ScheduledView__dashboard_live</id>
    <updated>2011-12-01T14:40:18-08:00</updated>
    <link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__dashboard_live" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <!-- opensearch nodes elided for brevity. -->
    <content type="text/xml">
      <s:dict>
        <s:key name="action.email">1</s:key>
        <s:key name="action.email.auth_password"></s:key>
        <s:key name="action.email.auth_username"></s:key>
        <s:key name="action.email.bcc"></s:key>
        <s:key name="action.email.cc"></s:key>
        <s:key name="action.email.command"><![CDATA[$action.email.preprocess_results{default=""}$ | sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$" "use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$" "bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$" "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$" "pdfview=$action.email.pdfview$" "searchid=$search_id$" "width_sort_columns=$action.email.width_sort_columns$" "graceful=$graceful{default=True}$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]></s:key>
        <s:key name="action.email.format">html</s:key>
        <s:key name="action.email.from">splunk</s:key>
        <s:key name="action.email.hostname"></s:key>
        <s:key name="action.email.inline">0</s:key>
        <s:key name="action.email.mailserver">localhost</s:key>
        <s:key name="action.email.maxresults">10000</s:key>
        <s:key name="action.email.maxtime">5m</s:key>
        <s:key name="action.email.pdfview">dashboard_live</s:key>
        <s:key name="action.email.preprocess_results"></s:key>
        <s:key name="action.email.reportPaperOrientation">portrait</s:key>
        <s:key name="action.email.reportPaperSize">letter</s:key>
        <s:key name="action.email.reportServerEnabled">1</s:key>
        <s:key name="action.email.reportServerURL"> </s:key>
        <s:key name="action.email.sendpdf">1</s:key>
        <s:key name="action.email.sendresults">0</s:key>
        <s:key name="action.email.subject">Splunk Alert: $name$</s:key>
        <s:key name="action.email.to">wma@splunk.com</s:key>
        <s:key name="action.email.track_alert">1</s:key>
        <s:key name="action.email.ttl">10</s:key>
        <s:key name="action.email.use_ssl">0</s:key>
        <s:key name="action.email.use_tls">0</s:key>
        <s:key name="action.email.width_sort_columns">1</s:key>
        <s:key name="cron_schedule">/5 * * * *</s:key>
        <s:key name="description">scheduled search for view name=dashboard_live</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl elided -->
        <s:key name="is_scheduled">1</s:key>
        <s:key name="next_scheduled_time">2011-12-01 15:00:00 PST</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

search/jobs GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/search/jobs --get -d search="eventCount>100"
XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>jobs</title>
  <id>https://localhost:8089/services/search/jobs</id>
  <updated>2011-06-21T10:12:22-07:00</updated>
  <generator version="100492"/>
  <author>
    <name>Splunk</name>
  </author>
  <opensearch:totalResults>8</opensearch:totalResults>
  <opensearch:itemsPerPage>0</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <entry>
    <title>search  index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput
        | chart sum(kb) by series | sort -sum(kb) | head 5</title>
    <id>https://localhost:8089/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4</id>
    <updated>2011-06-21T10:10:31.000-07:00</updated>
    <link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4" rel="alternate"/>
    <published>2011-06-21T10:10:23.000-07:00</published>
    <link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/search.log" rel="log"/>
    <link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/events" rel="events"/>
    <link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/results" rel="results"/>
    <link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/results_preview" rel="results_preview"/>
    <link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/timeline" rel="timeline"/>
    <link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/summary" rel="summary"/>
    <link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/control" rel="control"/>
    <author>
      <name>splunk-system-user</name>
    </author>
    <content type="text/xml">
      <s:dict>
        <s:key name="cursorTime">1969-12-31T16:00:00.000-08:00</s:key>
        <s:key name="delegate">scheduler</s:key>
        <s:key name="diskUsage">73728</s:key>
        <s:key name="dispatchState">DONE</s:key>
        <s:key name="doneProgress">1.00000</s:key>
        <s:key name="dropCount">0</s:key>
        <s:key name="earliestTime">2011-06-20T10:10:00.000-07:00</s:key>
        <s:key name="eventAvailableCount">0</s:key>
        <s:key name="eventCount">1363</s:key>
        <s:key name="eventFieldCount">0</s:key>
        <s:key name="eventIsStreaming">1</s:key>
        <s:key name="eventIsTruncated">1</s:key>
        <s:key name="eventSearch">search index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput </s:key>
        <s:key name="eventSorting">none</s:key>
        <s:key name="isDone">1</s:key>
        <s:key name="isFailed">0</s:key>
        <s:key name="isFinalized">0</s:key>
        <s:key name="isPaused">0</s:key>
        <s:key name="isPreviewEnabled">0</s:key>
        <s:key name="isRealTimeSearch">0</s:key>
        <s:key name="isRemoteTimeline">0</s:key>
        <s:key name="isSaved">0</s:key>
        <s:key name="isSavedSearch">1</s:key>
        <s:key name="isZombie">0</s:key>
        <s:key name="keywords">group::per_sourcetype_thruput index::_internal source::*/metrics.log* source::*\metrics.log*</s:key>
        <s:key name="label">Top five sourcetypes</s:key>
        <s:key name="latestTime">2011-06-21T10:10:00.000-07:00</s:key>
        <s:key name="numPreviews">0</s:key>
        <s:key name="priority">5</s:key>
        <s:key name="remoteSearch">litsearch index=_internal ( source=*/metrics.log* OR source=*\\metrics.log* )
                group=per_sourcetype_thruput | addinfo  type=count label=prereport_events
                | fields  keepcolorder=t "kb" "prestats_reserved_*" "psrsvd_*" "series"
                | convert  num("kb")  | prestats  sum(kb) AS "sum(kb)" by series</s:key>
        <s:key name="reportSearch">chart  sum(kb) by series  | sort  -sum(kb)  | head  5</s:key>
        <s:key name="resultCount">4</s:key>
        <s:key name="resultIsStreaming">0</s:key>
        <s:key name="resultPreviewCount">4</s:key>
        <s:key name="runDuration">0.259000</s:key>
        <s:key name="scanCount">1363</s:key>
        <s:key name="searchEarliestTime">1308589800.000000000</s:key>
        <s:key name="searchLatestTime">1308676200.000000000</s:key>
        <s:key name="sid">scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4</s:key>
        <s:key name="statusBuckets">0</s:key>
        <s:key name="ttl">489</s:key>
        <s:key name="performance">
          <s:dict>
            <s:key name="command.addinfo">
              <s:dict>
                <s:key name="duration_secs">0.005</s:key>
                <s:key name="invocations">5</s:key>
                <s:key name="input_count">1363</s:key>
                <s:key name="output_count">1363</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.chart">
              <s:dict>
                <s:key name="duration_secs">0.003</s:key>
                <s:key name="invocations">1</s:key>
                <s:key name="input_count">100000</s:key>
                <s:key name="output_count">4</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.convert">
              <s:dict>
                <s:key name="duration_secs">0.006</s:key>
                <s:key name="invocations">5</s:key>
                <s:key name="input_count">1363</s:key>
                <s:key name="output_count">1363</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.fields">
              <s:dict>
                <s:key name="duration_secs">0.005</s:key>
                <s:key name="invocations">5</s:key>
                <s:key name="input_count">1363</s:key>
                <s:key name="output_count">1363</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.head">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">1</s:key>
                <s:key name="input_count">4</s:key>
                <s:key name="output_count">4</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.presort">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">1</s:key>
                <s:key name="input_count">4</s:key>
                <s:key name="output_count">4</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.prestats">
              <s:dict>
                <s:key name="duration_secs">0.014</s:key>
                <s:key name="invocations">5</s:key>
                <s:key name="input_count">1363</s:key>
                <s:key name="output_count">12</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.search">
              <s:dict>
                <s:key name="duration_secs">0.058</s:key>
                <s:key name="invocations">5</s:key>
                <s:key name="input_count">0</s:key>
                <s:key name="output_count">1363</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.search.fieldalias">
              <s:dict>
                <s:key name="duration_secs">0.003</s:key>
                <s:key name="invocations">3</s:key>
                <s:key name="input_count">1363</s:key>
                <s:key name="output_count">1363</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.search.filter">
              <s:dict>
                <s:key name="duration_secs">0.004</s:key>
                <s:key name="invocations">3</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.search.index">
              <s:dict>
                <s:key name="duration_secs">0.010</s:key>
                <s:key name="invocations">5</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.search.kv">
              <s:dict>
                <s:key name="duration_secs">0.011</s:key>
                <s:key name="invocations">3</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.search.lookups">
              <s:dict>
                <s:key name="duration_secs">0.003</s:key>
                <s:key name="invocations">3</s:key>
                <s:key name="input_count">1363</s:key>
                <s:key name="output_count">1363</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.search.rawdata">
              <s:dict>
                <s:key name="duration_secs">0.034</s:key>
                <s:key name="invocations">3</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.search.tags">
              <s:dict>
                <s:key name="duration_secs">0.005</s:key>
                <s:key name="invocations">5</s:key>
                <s:key name="input_count">1363</s:key>
                <s:key name="output_count">1363</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.search.typer">
              <s:dict>
                <s:key name="duration_secs">0.005</s:key>
                <s:key name="invocations">5</s:key>
                <s:key name="input_count">1363</s:key>
                <s:key name="output_count">1363</s:key>
              </s:dict>
            </s:key>
            <s:key name="command.sort">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">1</s:key>
                <s:key name="input_count">4</s:key>
                <s:key name="output_count">4</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.createProviderQueue">
              <s:dict>
                <s:key name="duration_secs">0.067</s:key>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.evaluate">
              <s:dict>
                <s:key name="duration_secs">0.038</s:key>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.evaluate.chart">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.evaluate.head">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.evaluate.search">
              <s:dict>
                <s:key name="duration_secs">0.037</s:key>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.evaluate.sort">
              <s:dict>
                <s:key name="duration_secs">0.001</s:key>
                <s:key name="invocations">1</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.fetch">
              <s:dict>
                <s:key name="duration_secs">0.126</s:key>
                <s:key name="invocations">6</s:key>
              </s:dict>
            </s:key>
            <s:key name="dispatch.stream.local">
              <s:dict>
                <s:key name="duration_secs">0.070</s:key>
                <s:key name="invocations">5</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="messages">
          <s:dict/>
        </s:key>
        <s:key name="request">
          <s:dict>
            <s:key name="ui_dispatch_app"></s:key>
            <s:key name="ui_dispatch_view"></s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="modifiable">true</s:key>
            <s:key name="sharing">global</s:key>
            <s:key name="app">search</s:key>
            <s:key name="can_write">true</s:key>
          </s:dict>
        </s:key>
        <s:key name="searchProviders">
          <s:list>
            <s:item>mbp15.splunk.com</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
  . . . elided . . .
</feed>

search/jobs POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search index=_internal source=*/metrics.log" -d id=mysearch_02151949 -d max_count=50000 -d status_buckets=300

curl -u admin:changeme -k https://localhost:8089/services/search/jobs
    -d search="search *"
    -d custom.foobar="myCustomPropA"
    -d custom.foobaz="myCustomPropB"

Use the search/jobs GET request to view the custom properties.


curl -k -u admin:changed https://localhost:8089/services/search/jobs
    -d search="search index=_* *"
    -d search_mode="realtime"
    -d indexedRealtime="1"
    -d indexedRealtimeOffset="300"
XML Response

<response><sid>mysearch_02151949</sid></response>

search/jobs/export GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search="search index%3D_internal | head 1"
XML Response

<results preview='0'>
<meta>
<fieldOrder>
<field>_cd</field>
<field>_indextime</field>
<field>_raw</field>
<field>_serial</field>
<field>_si</field>
<field>_sourcetype</field>
<field>_subsecond</field>
<field>_time</field>
<field>host</field>
<field>index</field>
<field>linecount</field>
<field>source</field>
<field>sourcetype</field>
<field>splunk_server</field>
</fieldOrder>
</meta>
<messages>
  <msg type="DEBUG">base lispy: [ AND index::_internal ]</msg>
  <msg type="DEBUG">search context: user="admin", app="search", bs-pathname="/Applications/splunk/etc"</msg>
  <msg type="INFO">Your timerange was substituted based on your search string</msg>
</messages>

        <result offset='0'>
                <field k='_cd'>
                        <value><text>50:59480</text></value>
                </field>
                <field k='_indextime'>
                        <value><text>1333739623</text></value>
                </field>
                <field k='_raw'><v xml:space='preserve' trunc='0'>127.0.0.1 - admin [06/Apr/2012:12:13:42.943 -0700] "POST /servicesNS/admin/search/search/jobs/export HTTP/1.1" 200 2063 - - - 317ms</v></field>
                <field k='_serial'>
                        <value><text>0</text></value>
                </field>
                <field k='_si'>
                        <value><text>mbp15.splunk.com</text></value>
                        <value><text>_internal</text></value>
                </field>
                <field k='_sourcetype'>
                        <value><text>splunkd_access</text></value>
                </field>
                <field k='_subsecond'>
                        <value><text>.943</text></value>
                </field>
                <field k='_time'>
                        <value><text>2012-04-06 12:13:42.943 PDT</text></value>
                </field>
                <field k='host'>
                        <value><text>mbp15.splunk.com</text></value>
                </field>
                <field k='index'>
                        <value h='1'><text>_internal</text></value>
                </field>
                <field k='linecount'>
                        <value><text>1</text></value>
                </field>
                <field k='source'>
                        <value><text>/Applications/splunk/var/log/splunk/splunkd_access.log</text></value>
                </field>
                <field k='sourcetype'>
                        <value><text>splunkd_access</text></value>
                </field>
                <field k='splunk_server'>
                        <value><text>mbp15.splunk.com</text></value>
                </field>
        </result>
</results>

search/jobs/{search_id} DELETE

XML
XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/services/search/jobs/mysearch_02151949
XML Response

<response><messages><msg type='INFO'>Search job cancelled.</msg></messages></response

search/jobs/{search_id} GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949
XML Response

<entry
       xmlns="http://www.w3.org/2005/Atom"
       xmlns:s="http://dev.splunk.com/ns/rest"
       xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>search index</title>
  <id>https://localhost:8089/services/search/jobs/mysearch_02151949</id>
  <updated>2011-07-07T20:49:58.000-07:00</updated>
  <link href="/services/search/jobs/mysearch_02151949" rel="alternate"/>
  <published>2011-07-07T20:49:57.000-07:00</published>
  <link href="/services/search/jobs/mysearch_02151949/search.log" rel="search.log"/>
  <link href="/services/search/jobs/mysearch_02151949/events" rel="events"/>
  <link href="/services/search/jobs/mysearch_02151949/results" rel="results"/>
  <link href="/services/search/jobs/mysearch_02151949/results_preview" rel="results_preview"/>
  <link href="/services/search/jobs/mysearch_02151949/timeline" rel="timeline"/>
  <link href="/services/search/jobs/mysearch_02151949/summary" rel="summary"/>
  <link href="/services/search/jobs/mysearch_02151949/control" rel="control"/>
  <author>
    <name>admin</name>
  </author>
  <content type="text/xml">
    <s:dict>
      <s:key name="cursorTime">1969-12-31T16:00:00.000-08:00</s:key>
      <s:key name="delegate"></s:key>
      <s:key name="diskUsage">2174976</s:key>
      <s:key name="dispatchState">DONE</s:key>
      <s:key name="doneProgress">1.00000</s:key>
      <s:key name="dropCount">0</s:key>
      <s:key name="earliestTime">2011-07-07T11:18:08.000-07:00</s:key>
      <s:key name="eventAvailableCount">287</s:key>
      <s:key name="eventCount">287</s:key>
      <s:key name="eventFieldCount">6</s:key>
      <s:key name="eventIsStreaming">1</s:key>
      <s:key name="eventIsTruncated">0</s:key>
      <s:key name="eventSearch">search index</s:key>
      <s:key name="eventSorting">desc</s:key>
      <s:key name="isDone">1</s:key>
      <s:key name="isFailed">0</s:key>
      <s:key name="isFinalized">0</s:key>
      <s:key name="isPaused">0</s:key>
      <s:key name="isPreviewEnabled">0</s:key>
      <s:key name="isRealTimeSearch">0</s:key>
      <s:key name="isRemoteTimeline">0</s:key>
      <s:key name="isSaved">0</s:key>
      <s:key name="isSavedSearch">0</s:key>
      <s:key name="isZombie">0</s:key>
      <s:key name="keywords">index</s:key>
      <s:key name="label"></s:key>
      <s:key name="latestTime">1969-12-31T16:00:00.000-08:00</s:key>
      <s:key name="numPreviews">0</s:key>
      <s:key name="priority">5</s:key>
      <s:key name="remoteSearch">litsearch index | fields  keepcolorder=t "host" "index" "linecount" "source" "sourcetype" "splunk_server"</s:key>
      <s:key name="reportSearch"></s:key>
      <s:key name="resultCount">287</s:key>
      <s:key name="resultIsStreaming">1</s:key>
      <s:key name="resultPreviewCount">287</s:key>
      <s:key name="runDuration">1.004000</s:key>
      <s:key name="scanCount">287</s:key>
      <s:key name="sid">mysearch_02151949</s:key>
      <s:key name="statusBuckets">0</s:key>
      <s:key name="ttl">516</s:key>
      <s:key name="performance">
        <s:dict>
          <s:key name="command.fields">
            <s:dict>
              <s:key name="duration_secs">0.004</s:key>
              <s:key name="invocations">4</s:key>
              <s:key name="input_count">287</s:key>
              <s:key name="output_count">287</s:key>
            </s:dict>
          </s:key>
          <s:key name="command.search">
            <s:dict>
              <s:key name="duration_secs">0.089</s:key>
              <s:key name="invocations">4</s:key>
              <s:key name="input_count">0</s:key>
              <s:key name="output_count">287</s:key>
            </s:dict>
          </s:key>
          <s:key name="command.search.fieldalias">
            <s:dict>
              <s:key name="duration_secs">0.002</s:key>
              <s:key name="invocations">2</s:key>
              <s:key name="input_count">287</s:key>
              <s:key name="output_count">287</s:key>
            </s:dict>
          </s:key>
          <s:key name="command.search.index">
            <s:dict>
              <s:key name="duration_secs">0.005</s:key>
              <s:key name="invocations">4</s:key>
            </s:dict>
          </s:key>
          <s:key name="command.search.kv">
            <s:dict>
              <s:key name="duration_secs">0.002</s:key>
              <s:key name="invocations">2</s:key>
            </s:dict>
          </s:key>
          <s:key name="command.search.lookups">
            <s:dict>
              <s:key name="duration_secs">0.002</s:key>
              <s:key name="invocations">2</s:key>
              <s:key name="input_count">287</s:key>
              <s:key name="output_count">287</s:key>
            </s:dict>
          </s:key>
          <s:key name="command.search.rawdata">
            <s:dict>
              <s:key name="duration_secs">0.083</s:key>
              <s:key name="invocations">2</s:key>
            </s:dict>
          </s:key>
          <s:key name="command.search.tags">
            <s:dict>
              <s:key name="duration_secs">0.004</s:key>
              <s:key name="invocations">4</s:key>
              <s:key name="input_count">287</s:key>
              <s:key name="output_count">287</s:key>
            </s:dict>
          </s:key>
          <s:key name="command.search.typer">
            <s:dict>
              <s:key name="duration_secs">0.004</s:key>
              <s:key name="invocations">4</s:key>
              <s:key name="input_count">287</s:key>
              <s:key name="output_count">287</s:key>
            </s:dict>
          </s:key>
          <s:key name="dispatch.createProviderQueue">
            <s:dict>
              <s:key name="duration_secs">0.059</s:key>
              <s:key name="invocations">1</s:key>
            </s:dict>
          </s:key>
          <s:key name="dispatch.evaluate">
            <s:dict>
              <s:key name="duration_secs">0.037</s:key>
              <s:key name="invocations">1</s:key>
            </s:dict>
          </s:key>
          <s:key name="dispatch.evaluate.search">
            <s:dict>
              <s:key name="duration_secs">0.036</s:key>
              <s:key name="invocations">1</s:key>
            </s:dict>
          </s:key>
          <s:key name="dispatch.fetch">
            <s:dict>
              <s:key name="duration_secs">0.092</s:key>
              <s:key name="invocations">5</s:key>
            </s:dict>
          </s:key>
          <s:key name="dispatch.readEventsInResults">
            <s:dict>
              <s:key name="duration_secs">0.110</s:key>
              <s:key name="invocations">1</s:key>
            </s:dict>
          </s:key>
          <s:key name="dispatch.stream.local">
            <s:dict>
              <s:key name="duration_secs">0.089</s:key>
              <s:key name="invocations">4</s:key>
            </s:dict>
          </s:key>
          <s:key name="dispatch.timeline">
            <s:dict>
              <s:key name="duration_secs">0.359</s:key>
              <s:key name="invocations">5</s:key>
            </s:dict>
          </s:key>
        </s:dict>
      </s:key>
      <s:key name="messages">
        <s:dict/>
      </s:key>
      <s:key name="request">
        <s:dict>
          <s:key name="id">mysearch_02151949</s:key>
          <s:key name="search">search index</s:key>
        </s:dict>
      </s:key>
      <s:key name="eai:acl">
        <s:dict>
          <s:key name="perms">
            <s:dict>
              <s:key name="read">
                <s:list>
                  <s:item>admin</s:item>
                </s:list>
              </s:key>
              <s:key name="write">
                <s:list>
                  <s:item>admin</s:item>
                </s:list>
              </s:key>
            </s:dict>
          </s:key>
          <s:key name="owner">admin</s:key>
          <s:key name="modifiable">true</s:key>
          <s:key name="sharing">global</s:key>
          <s:key name="app">search</s:key>
          <s:key name="can_write">true</s:key>
        </s:dict>
      </s:key>
      <s:key name="searchProviders">
        <s:list>
          <s:item>mbp15.splunk.com</s:item>
        </s:list>
      </s:key>
    </s:dict>
  </content>
</entry>

search/jobs/{search_id} POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/search/jobs/{search_id} -d custom.*=UNDONE_curl_param
XML Response
TBD

search/jobs/{search_id}/control POST

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949/control -d action=pause
XML Response

<response><messages><msg type='INFO'>Search job paused.</msg></messages></response>

search/jobs/{search_id}/events GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/search/jobs/1312313809.20/events --get -d f=arch -d f=build -d f=connectionType -d r -d count=3
XML Response

<results preview='0'>
<meta>
<fieldOrder>
<field>arch</field>
<field>build</field>
<field>connectionType</field>
<field>date_hour</field>
</fieldOrder>
</meta>
        <result offset='0'>
                <field k='arch'>
                        <value><text>i686</text></value>
                </field>
                <field k='build'>
                        <value><text>98164</text></value>
                </field>
                <field k='connectionType'>
                        <value><text>cooked</text></value>
                </field>
                <field k='date_hour'>
                        <value><text>19</text></value>
                </field>
        </result>
        <result offset='1'>
                <field k='arch'>
                        <value><text>i686</text></value>
                </field>
                <field k='build'>
                        <value><text>98164</text></value>
                </field>
                <field k='connectionType'>
                        <value><text>cooked</text></value>
                </field>
                <field k='date_hour'>
                        <value><text>19</text></value>
                </field>
        </result>
        <result offset='2'>
                <field k='arch'>
                        <value><text>i686</text></value>
                </field>
                <field k='build'>
                        <value><text>98164</text></value>
                </field>
                <field k='connectionType'>
                        <value><text>cooked</text></value>
                </field>
                <field k='date_hour'>
                        <value><text>19</text></value>
                </field>
        </result>
</results>

search/jobs/{search_id}/results GET

JSON
JSON Request

curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949/results --get -d f=index -d f=source -d f=sourcetype -d count=3 -d output_mode=json
JSON Response

{ "init_offset" : 0,
  "messages" : [ { "text" : "base lispy: [ AND index::_internal source::*/metrics.log ]",
        "type" : "DEBUG"
      },
      { "text" : "search context: user=\"admin\", app=\"search\", bs-pathname=\"/Applications/splunk/etc\"",
        "type" : "DEBUG"
      }
    ],
  "preview" : false,
  "results" : [ { "index" : "_internal",
        "source" : "/Applications/splunk/var/log/splunk/metrics.log",
        "sourcetype" : "splunkd"
      },
      { "index" : "_internal",
        "source" : "/Applications/splunk/var/log/splunk/metrics.log",
        "sourcetype" : "splunkd"
      },
      { "index" : "_internal",
        "source" : "/Applications/splunk/var/log/splunk/metrics.log",
        "sourcetype" : "splunkd"
      }
    ]
}

search/jobs/{search_id}/results_preview GET

JSON
JSON Request

curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949/results_preview --get -d f=index -d f=source -d f=sourcetype -d count=3 -d output_mode=json
JSON Response

{ "init_offset" : 0,
  "messages" : [ { "text" : "base lispy: [ AND index::_internal source::*/metrics.log ]",
        "type" : "DEBUG"
      },
      { "text" : "search context: user=\"admin\", app=\"search\", bs-pathname=\"/Applications/splunk/etc\"",
        "type" : "DEBUG"
      }
    ],
  "preview" : false,
  "results" : [ { "index" : "_internal",
        "source" : "/Applications/splunk/var/log/splunk/metrics.log",
        "sourcetype" : "splunkd"
      },
      { "index" : "_internal",
        "source" : "/Applications/splunk/var/log/splunk/metrics.log",
        "sourcetype" : "splunkd"
      },
      { "index" : "_internal",
        "source" : "/Applications/splunk/var/log/splunk/metrics.log",
        "sourcetype" : "splunkd"
      }
    ]
}

search/jobs/{search_id}/search.log GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949/search.log
XML Response

TBD
Raw Response

07-07-2011 21:36:22.066 INFO  ApplicationManager - Found application directory: /Applications/splunk4.3/etc/apps/user-prefs
07-07-2011 21:36:22.066 INFO  ApplicationManager - Initialized at least 12 applications: /Applications/splunk4.3/etc/apps
07-07-2011 21:36:22.066 INFO  ApplicationManager - Found 5 application(s) that might have global exports
07-07-2011 21:36:22.073 INFO  dispatchRunner - initing LicenseMgr in search process: nonPro=0
07-07-2011 21:36:22.074 INFO  LicenseMgr - Initing LicenseMgr
07-07-2011 21:36:22.075 INFO  ServerConfig - My GUID is "1F3A34AE-75DA-4680-B184-5BF309843919".
07-07-2011 21:36:22.075 INFO  ServerConfig - My hostname is "ombroso-mbp15.local".
07-07-2011 21:36:22.076 INFO  SSLCommon - added zlib compression
07-07-2011 21:36:22.077 INFO  ServerConfig - Default output queue for file-based input: parsingQueue.
07-07-2011 21:36:22.077 INFO  LMConfig - serverName=mbp15.splunk.com guid=1F3A34AE-75DA-4680-B184-5BF309843919
07-07-2011 21:36:22.077 INFO  LMConfig - connection_timeout=30
07-07-2011 21:36:22.077 INFO  LMConfig - send_timeout=30
07-07-2011 21:36:22.077 INFO  LMConfig - receive_timeout=30
. . . elided . . .

search/jobs/{search_id}/summary GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/search/jobs/mytestsid/summary --get -d f=source -d f=sourcetype -d f=host -d top_count=5
XML Response

<?xml version='1.0' encoding='UTF-8'?>
<summary earliest_time='1969-12-31T16:00:00.000-08:00' latest_time='1969-12-31T16:00:00.464-08:00' duration='0' c='150375'>
        <field k='host' c='150375' nc='0' dc='1' exact='1'>
                <modes>
                        <value c='150375' exact='1'><text>tiny</text></value>                </modes>
        </field>
        <field k='source' c='150375' nc='0' dc='13' exact='1'>
                <modes>
                        <value c='136107' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/metrics.log</text></value>                        <value c='6682' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/splunkd_access.log</text></value>                        <value c='4656' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/scheduler.log</text></value>                        <value c='1714' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/web_access.log</text></value>                        <value c='937' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/splunkd.log</text></value>                </modes>
        </field>
        <field k='sourcetype' c='150375' nc='0' dc='10' exact='1'>
                <modes>
                        <value c='137053' exact='1'><text>splunkd</text></value>                        <value c='6682' exact='1'><text>splunkd_access</text></value>                        <value c='4656' exact='1'><text>scheduler</text></value>                        <value c='1714' exact='1'><text>splunk_web_access</text></value>                        <value c='193' exact='1'><text>splunk_web_service</text></value>                </modes>
        </field>
</summary>

search/jobs/{search_id}/timeline GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/services/search/jobs/mytestsid/timeline --get -d time_format="%c"
XML Response

<timeline c='150397' cursor='1312308000'>
<bucket c='7741' a='7741' t='1312308000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 11:00:00 2011</bucket>
<bucket c='7894' a='7894' t='1312311600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 12:00:00 2011</bucket>
<bucket c='7406' a='7406' t='1312315200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 13:00:00 2011</bucket>
<bucket c='6097' a='6097' t='1312318800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 14:00:00 2011</bucket>
<bucket c='6072' a='6072' t='1312322400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 15:00:00 2011</bucket>
<bucket c='6002' a='6002' t='1312326000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 16:00:00 2011</bucket>
<bucket c='6004' a='6004' t='1312329600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 17:00:00 2011</bucket>
<bucket c='5994' a='5994' t='1312333200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 18:00:00 2011</bucket>
<bucket c='6037' a='6037' t='1312336800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 19:00:00 2011</bucket>
<bucket c='6021' a='6021' t='1312340400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 20:00:00 2011</bucket>
<bucket c='6051' a='6051' t='1312344000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 21:00:00 2011</bucket>
<bucket c='6006' a='6006' t='1312347600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 22:00:00 2011</bucket>
<bucket c='6041' a='6041' t='1312351200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug  2 23:00:00 2011</bucket>
<bucket c='5993' a='5993' t='1312354800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 00:00:00 2011</bucket>
<bucket c='6040' a='6040' t='1312358400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 01:00:00 2011</bucket>
<bucket c='5993' a='5993' t='1312362000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 02:00:00 2011</bucket>
<bucket c='6061' a='6061' t='1312365600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 03:00:00 2011</bucket>
<bucket c='5995' a='5995' t='1312369200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 04:00:00 2011</bucket>
<bucket c='5988' a='5988' t='1312372800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 05:00:00 2011</bucket>
<bucket c='6042' a='6042' t='1312376400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 06:00:00 2011</bucket>
<bucket c='5998' a='5998' t='1312380000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 07:00:00 2011</bucket>
<bucket c='6055' a='6055' t='1312383600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 08:00:00 2011</bucket>
<bucket c='5997' a='5997' t='1312387200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 09:00:00 2011</bucket>
<bucket c='5994' a='5994' t='1312390800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 10:00:00 2011</bucket>
<bucket c='875' a='875' t='1312394400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug  3 11:00:00 2011</bucket>
</timeline>

search/parser GET

JSON
JSON Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/parser --get -d output_mode=json -d q="search index=os sourcetype=cpu"
JSON Response

{
        "remoteSearch": "litsearch  | fields  keepcolorder=t \"host\" \"index\" \"linecount\" \"source\" \"sourcetype\" \"splunk_server\"",
        "remoteTimeOrdered": true,
        "eventsSearch": "search ",
        "eventsTimeOrdered": true,
        "eventsStreaming": true,
        "reportsSearch": "",
        "commands": [
                {
                        "command": "search",
                        "rawargs": "",
                        "pipeline": "streaming",
                        "args": {
                                "search": [""],
                        }
                        "isGenerating": true,
                        "streamType": "SP_STREAM",
                },
        ]
}

search/scheduler GET

Request

curl -k -u admin:pass https://localhost:8089/services/search/scheduler
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>scheduler</title>
  <id>https://localhost:8089/services/search/scheduler</id>
  <updated>2015-06-09T13:23:38-07:00</updated>
  <generator build="6cfc0237739f" version="6.3.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/search/scheduler/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>scheduler</title>
    <id>https://localhost:8089/services/search/scheduler/scheduler</id>
    <updated>2015-06-09T13:23:38-07:00</updated>
    <link href="/services/search/scheduler/scheduler" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/search/scheduler/scheduler" rel="list"/>
    <link href="/services/search/scheduler/scheduler" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="saved_searches_disabled">0</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

search/scheduler/status POST

XML
Request

curl -ku admin:pass -XPOST https://localhost:8089/services/search/scheduler/status -d disabled=1
XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>scheduler</title>
  <id>https://localhost:8089/services/search/scheduler</id>
  <updated>2015-06-09T13:40:21-07:00</updated>
  <generator build="6cfc0237739f" version="6.3.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/search/scheduler/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

search/timeparser GET

XML
XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/timeparser --get -d time=-12h -d time=-24h
XML Response

<response>
        <dict>
                <key name="-12h">2011-07-06T21:54:23.000-07:00</key>
                <key name="-24h">2011-07-06T09:54:23.000-07:00</key>
        </dict>
</response>

search/typeahead GET

JSON
JSON Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/typeahead --get -d count=3 -d prefix=source -d output_mode=json
JSON Response

{ "results" : [ { "content" : "source=\"sampledata.zip:./apache1.splunk.com/access_combined.log\"",
        "count" : 9199,
        "operator" : false
      },
      { "content" : "source=\"sampledata.zip:./apache2.splunk.com/access_combined.log\"",
        "count" : 27705,
        "operator" : false
      },
      { "content" : "source=\"sampledata.zip:./apache3.splunk.com/access_combined.log\"",
        "count" : 27888,
        "operator" : false
      }
    ]
}

System endpoints

System endpoint descriptions

This page is currently a work in progress; expect frequent near-term updates.

Manage server configuration settings and messages.

See Introspection endpoint descriptions for the system endpoints related to introspection.

messages


https://<host>:<mPort>/services/messages

Authentication: Not required

Description

Provides access to Splunk Enterprise system messages. Most messages are created by splunkd to inform the user of system problems.

Splunk Web typically displays these as bulletin board messages.

Method summary
Method Description Formats
GET Enumerate all systemwide messages. XML, JSON
POST Create a persistent message displayed at /services/messages. XML, JSON

GET messages method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
restart_required Splunk Enterprise system message indicating that restarting Splunk Enterprise is required.
Application usage

This is typically used for splunkd to advertise issues such as license quotas, license expirations, misconfigured indexes, and disk space.


POST messages method detail

Example

Request parameters
Name Type Default Description
<name>
required
String Message name (key).
severity String Message severity level:
info: Informative
warn: Warning condition
error: Error condition
value
required
String Message text.
Response data keys

None

[ Top ]



messages/{name}


https://<host>:<mPort>/services/messages/{name}

Authentication: Not required

Description

Manage the message associated with the {name} message ID.

Method summary
Method Description Formats
DELETE Deletes a message identified by {name}. XML, JSON
GET Get the entry corresponding to a single message identified by {name} XML, JSON

DELETE messages/{name} method detail

Example

Request parameters

None

Response data keys

None

Application usage

The method returns HTTP status code = 500, if {name} message does not exist.


GET messages/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
message The system message.

[ Top ]



server/control


https://<host>:<mPort>/services/server/control

Authentication: Not required

Description

Allows access to controls, such as restarting server.

Method summary
Method Description Formats
GET Lists the actions that can be performed at this endpoint. XML, JSON

GET server/control method detail

Example

Request parameters

None

Response data keys

None

[ Top ]



server/control/restart


https://<host>:<mPort>/services/server/control/restart

Authentication: Required

Description

Restart Splunk Enterprise splunkd server daemon and splunkweb Web interface.

See also

server/control/restart_webui

Method summary
Method Description Formats
POST Restart Splunk Enterprise splunkd server daemon and splunkweb Web interface. XML, JSON

POST server/control/restart method detail

Example

Request parameters

None

Response data keys

None

Application usage

This interface is equivalent to the splunk restart CLI command.

HTTP status code 200 indicates successful restart.

[ Top ]



server/control/restart_webui


https://<host>:<mPort>/services/server/control/restart_webui

Authentication: Not required

Description

Restart Splunk Web interface.

See also

server/control/restart

Method summary
Method Description Formats
POST Restart Splunk Web interface. XML, JSON

POST server/control/restart_webui method detail

Example

Request parameters

None

Response data keys

None

Application usage

This interface is equivalent to the splunk restart splunkweb CLI command, and restarts the Web interface on servers with the default app server mode set.

HTTP status code 200 indicates successful restart.

[ Top ]



server/logger


https://<host>:<mPort>/services/server/logger

Authentication: Not required

Description

Provides access to splunkd logging categories, either specified in code or in $SPLUNK_HOME/etc/log.cfg.

Method summary
Method Description Formats
GET Enumerates all splunkd logging categories, either specified in code or in $SPLUNK_HOME/etc/log.cfg XML, JSON

GET server/logger method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
level Logger level for this server.

Valid values: (FATAL | WARN | INFO | DEBUG)

[ Top ]



server/logger/{name}


https://<host>:<mPort>/services/server/logger/{name}

Authentication: Not required

Description

Manage the {name} logging category.

Method summary
Method Description Formats
GET Describes a specific splunkd logging category. XML, JSON
POST Sets the logging level for a specific logging category. XML, JSON

GET server/logger/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
level Logger level for this server.

Valid values: (FATAL | WARN | INFO | DEBUG)


POST server/logger/{name} method detail

Example

Request parameters
Name Type Default Description
level
required
Enum Valid values: (FATAL | WARN | INFO | DEBUG)

The desired logging level for this category.

Response data keys

None

[ Top ]



server/roles


https://<host>:<mPort>/services/server/roles

Authentication: Not required

Description

Access the server role information. A server can have zero or more of the following roles:

indexer universal_forwarder heavyweight_forwarder lightweight_forwarder license_master license_slave cluster_master cluster_slave cluster_search_head deployment_server deployment_client search_head search_peer

See also: /server/info endpoint, server-roles attribute.

Method summary
Method Description Formats
GET Get the roles applicable to this server. XML, JSON

GET server/roles method detail

Example

Request parameters

None

Response data keys
Name Description
<variable> List of defined roles, from the following possible server roles:
indexer
universal_forwarder
heavyweight_forwarder
lightweight_forwarder
license_master
license_slave
cluster_master
cluster_slave
cluster_search_head
deployment_server
deployment_client
search_head
search_peer

[ Top ]



server/settings


https://<host>:<mPort>/services/server/settings

Authentication: Not required

Description

Provides access to server configuration information for an instance of Splunk.

Method summary
Method Description Formats
GET Returns the server configuration of an instance of Splunk. XML, JSON

GET server/settings method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
SPLUNK_DB Absolute filepath to the default index for this instance of Splunk.
SPLUNK_HOME Absolute filepath to the local installation of this instance of Splunk.
enableSplunkWebSSL Indicates if https and SSL is enabled for Splunk Web.
host The default hostname to use for data inputs that do not override this setting.
httpport Port on which Splunk Web is listening for this instance of Splunk Enterprise.

Defaults to 8000. If using SSL, set to the HTTPS port number.

mgmtHostPort The port on which Splunk Web is listening for management operations. Defaults to 8089.
minFreeSpace Safe amount of space in MB that must exist for splunkd to continue operating.

minFreespace affects search and indexing:

Before attempting to launch a search, splunk requires this amount of free space on the filesystem where the dispatch directory is stored ($SPLUNK_HOME/var/run/splunk/dispatch).

Applied similarly to the search quota values in authorize.conf and limits.conf.

For indexing, periodically, the indexer checks space on all partitions that contain splunk indexes as specified by indexes.conf. When you need to clear more disk space, indexing is paused and Splunk Enterprise posts a UI banner + warning.

pass4SymmKey Password string that is prefixed to the Splunk Enterprise symmetric key, generating the final key to sign all traffic between master/slave licenser.
serverName Name used to identify this Splunk Enterprise instance for features such as distributed search.
sessionTimeout Time range string to set the amount of time before a user session times out, expressed as a search-like time range. Default is 1h (one hour).

For example:

24h: (24 hours)

3d: (3 days)

7200s: (7200 seconds, or two hours)

startwebserver Indicates if Splunk Web is started.
trustedIP The IP address of the authenticating proxy. Set to a valid IP address to enable SSO.

Disabled by default. Normal value is '127.0.0.1'

[ Top ]

System endpoint examples

messages GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/messages
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>messages</title>
 <id>https://localhost:8089/services/messages</id>
 <updated>2011-07-08T01:14:21-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/messages/_new" rel="create"/>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>restart_required</title>
   <id>https://localhost:8089/services/messages/restart_required</id>
   <updated>2011-07-08T01:14:21-07:00</updated>
   <link href="/services/messages/restart_required" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/messages/restart_required" rel="list"/>
   <link href="/services/messages/restart_required" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       ... eai:acl node elided ...
       <s:key name="restart_required">Splunk must be restarted for changes to take effect.</s:key>
     </s:dict>
   </content>
 </entry>

</feed>


messages POST

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/messages -d name=helloMessage -d value="hello world" -d severity="info"
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>messages</title>
 <id>https://localhost:8089/services/messages</id>
 <updated>2014-02-20T10:24:02-08:00</updated>
 <generator build="197187" version="6.1beta"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/messages/_new" rel="create"/>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>helloMessage</title>
   <id>https://localhost:8089/services/messages/helloMessage</id>
   <updated>2014-02-20T10:24:02-08:00</updated>
   <link href="/services/messages/helloMessage" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/messages/helloMessage" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="helloMessage">"hello world"</s:key>
       <s:key name="eai:acl">
          ... elided ...
       </s:key>
       <s:key name="message">"hello world"</s:key>
       <s:key name="severity">info</s:key>
       <s:key name="timeCreated_epochSecs">1392920642</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



messages/{name} DELETE

XML
XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/messages/message
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>messages</title>
 <id>https://localhost:8089/services/messages</id>
 <updated>2011-07-08T01:14:21-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/messages/_new" rel="create"/>
    ... opensearch elements elided ...
 <s:messages/>

</feed>



messages/{name} GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/messages/message
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>messages</title>
 <id>https://localhost:8089/services/messages</id>
 <updated>2011-07-08T01:14:21-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/messages/_new" rel="create"/>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>message</title>
   <id>https://localhost:8089/services/messages/message</id>
   <updated>2011-07-08T01:14:21-07:00</updated>
   <link href="/services/messages/message" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/messages/message" rel="list"/>
   <link href="/services/messages/message" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       ... eai:acl node elided ...
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="message">hello world</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



server/control GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/control
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>server-control</title>
 <id>https://localhost:8089/services/server/control</id>
 <updated>2011-07-12T00:17:53-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/server/control/restart" rel="restart"/>
    ... opensearch elements elided ...
 <s:messages/>

</feed>



server/control/restart POST

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/control/restart -X POST
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>server-control</title>
 <id>https://localhost:8089/services/server/control</id>
 <updated>2014-08-05T13:02:50-07:00</updated>
 <generator build="221120" version="6.2"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/server/control/restart" rel="restart"/>
 <link href="/services/server/control/restart_webui" rel="restart_webui"/>
 ... opensearch nodes elided ...
 <s:messages/>

</feed>


server/control/restart_webui POST

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/control/restart_webui -X POST
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>server-control</title>
 <id>https://localhost:8089/services/server/control</id>
 <updated>2014-08-05T12:10:37-07:00</updated>
 <generator build="221120" version="6.2"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/server/control/restart" rel="restart"/>
 <link href="/services/server/control/restart_webui" rel="restart_webui"/>
 ... opensearch elements elided ...
 <s:messages/>

</feed>


server/logger GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/logger
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>logger</title>
 <id>https://mrt:8089/services/server/logger</id>
 <updated>2011-05-16T20:29:38-0700</updated>
 <generator version="98144"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>AdminHandler:AuthenticationHandler</title>
   <id>https://mrt:8089/services/server/logger/AdminHandler%3AAuthenticationHandler</id>
   <updated>2011-05-16T20:29:38-0700</updated>
   <link href="/services/server/logger/AdminHandler%3AAuthenticationHandler" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/logger/AdminHandler%3AAuthenticationHandler" rel="list"/>
   <link href="/services/server/logger/AdminHandler%3AAuthenticationHandler" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">... elided ...</s:key>
       <s:key name="level">WARN</s:key>
     </s:dict>
   </content>
 </entry>
       .
       .
       .
     elided
       .
       .
       .
 <entry>
   <title>Application</title>
   <id>https://mrt:8089/services/server/logger/Application</id>
   <updated>2011-05-16T20:29:38-0700</updated>
   <link href="/services/server/logger/Application" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/logger/Application" rel="list"/>
   <link href="/services/server/logger/Application" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">... elided ...</s:key>
       <s:key name="level">WARN</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>ApplicationManager</title>
   <id>https://mrt:8089/services/server/logger/ApplicationManager</id>
   <updated>2011-05-16T20:29:38-0700</updated>
   <link href="/services/server/logger/ApplicationManager" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/logger/ApplicationManager" rel="list"/>
   <link href="/services/server/logger/ApplicationManager" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">... elided ...</s:key>
       <s:key name="level">WARN</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



server/logger/{name} GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/logger/Application
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:s="http://dev.splunk.com/ns/rest&quot;
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>
 <title>logger</title>
 <id>https://localhost:8089/services/server/logger</id>
 <updated>2011-07-02T15:10:44-07:00</updated>
 <generator version="100492"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>Application</title>
   <id>https://localhost:8089/services/server/logger/Application</id>
   <updated>2011-07-02T15:10:44-07:00</updated>
   <link href="/services/server/logger/Application" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/logger/Application" rel="list"/>
   <link href="/services/server/logger/Application" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">... elided ...</s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list>
               <s:item>level</s:item>
             </s:list>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="level">WARN</s:key>
     </s:dict>
   </content>
 </entry>

</feed>



server/logger/{name} POST

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/logger/Application -d level=INFO
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>logger</title>
 <id>https://localhost:8089/services/server/logger</id>
 <updated>2011-07-07T00:24:02-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <s:messages/>

</feed>



server/roles GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/roles
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot; xmlns:s="http://dev.splunk.com/ns/rest&quot; xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;>

<title>server-roles</title>
 <id>https://localhost:8089/services/server/roles</id>
 <updated>2014-04-02T12:13:07-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/server/roles/catalog_allPossible_predefined" rel="catalog_allPossible_predefined"/>
   ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>result</title>
   <id>https://localhost:8089/services/server/roles/result</id>
   <updated>2014-04-02T12:13:07-07:00</updated>
   <link href="/services/server/roles/result" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/roles/result" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
           ... elided ...
       </s:key>
       <s:key name="indexer"/>
       <s:key name="license_master"/>
       <s:key name="license_slave"/>
     </s:dict>
   </content>
 </entry>

</feed>



server/settings GET

XML
XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/settings
XML Response

<feed xmlns="http://www.w3.org/2005/Atom&quot;

    xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/&quot;
     xmlns:s="http://dev.splunk.com/ns/rest&quot;>
 <title>server-settings</title>
 <id>https://localhost:8089/services/server/settings</id>
 <updated>2011-07-08T01:56:40-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>settings</title>
   <id>https://localhost:8089/services/server/settings/settings</id>
   <updated>2011-07-08T01:56:40-07:00</updated>
   <link href="/services/server/settings/settings" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/settings/settings" rel="list"/>
   <link href="/services/server/settings/settings" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="SPLUNK_DB">/home/amrit/temp/curl/splunk/var/lib/splunk</s:key>
       <s:key name="SPLUNK_HOME">/home/amrit/temp/curl/splunk</s:key>
       ... eai:acl node elided ...
       <s:key name="enableSplunkWebSSL">0</s:key>
       <s:key name="host">MrT</s:key>
       <s:key name="httpport">8001</s:key>
       <s:key name="mgmtHostPort">8085</s:key>
       <s:key name="minFreeSpace">2000000</s:key>
       <s:key name="pass4SymmKey">changeme</s:key>
       <s:key name="serverName">MrT</s:key>
       <s:key name="sessionTimeout">1h</s:key>
       <s:key name="startwebserver">1</s:key>
       <s:key name="trustedIP"/>
     </s:dict>
   </content>
 </entry>

</feed>